WebApp Sec mailing list archives
RE: Problems with IIS
From: "Stan Guzik" <SGuzik () ImmediaTech com>
Date: Thu, 15 Jul 2004 08:55:53 -0400
These symptoms also seem like application issues. In component services find the dll host that is taking up the 950mb of memory. Then click on the Status view to see how many components are activated. If this number is about <= 1,000 then you're probably not under a DDOS attach and it's an application issue. If this number is extremely high you may be under attach or you have a poorly written application. I my experience a well written application like your should only take about 50mb of memory. Also check the IIS and ASP performance counters. Check your ASP request queue. If it is high you may be running into blocking. The blocking may occur because of the SQL queries are taking a long time. Therefore also look for locking/blocking on the ms-sql server. In addition to checking the application, check your network usage patterns. If the usage patters have not changed in the past few months then its most like an app issue. If you see high network traffic when the CPU and memory jump then you may be under attach. -----Original Message----- From: sk3tch () sk3tch net [mailto:sk3tch () sk3tch net] Sent: Wednesday, July 14, 2004 1:37 PM To: leao () employer com br; webappsec () lists securityfocus com Subject: RE: Problems with IIS Have you verified with your developers that no new code updates have been pushed to production in the last few days? These symptoms are very similar to "normal" issues with flaky COM+ components...dllhost eating CPU and using tons of memory. Also, if you have 1,000 connections at any one time, dllhost using that amount of memory is relatively normal depending on what everyone is doing. In my experience, issues with dllhost spiraling out of control relate to an application issue most of the time. In one case, it ended up being an issue with a database query that a developer had pushed out. Since it didn't have adequate paramenters to "control" it - users were pulling ENTIRE record sets instead of being limited to a smaller subset at a time. If you're still determined it is an attack, you can try deploying URLScan for a period of time and then analyzing what it catches. Alternatively, (as you've already done) comb your IIS logs consistently. ________________________________ From: Marcelo LeĆ£o Caffaro [mailto:leao () employer com br] Sent: Wed 7/14/2004 6:25 AM To: webappsec () lists securityfocus com Subject: Problems with IIS <snip> I see in the last 2 days anormally of number visits of site, after check the log i see one dificult method of attack, this attack working with simultaneous connections, if i check the website database, can i see 30 or 50 querys to website database (ms-sql) , but in log in one second i have more than 30 ips, the log not contain know attack string, unicode, or another iis bug, the log have the url only.... My dll host stay with 950 mb and i have dllhost error, after reboot, in one or 2 seconds after network restart, the process cpu is 100%, i think this attack is about many bot making numerous querys in database to decrease the web performance.... <snip>
Current thread:
- Problems with IIS Marcelo Lećo Caffaro (Jul 14)
- Re: Problems with IIS Burak DAYIOGLU (Jul 14)
- Re: Problems with IIS Mark Burnett (Jul 14)
- .NET custom Textbox control Arian J. Evans (Jul 16)
- Re: Problems with IIS Roshen Chandran (Jul 15)
- Re: Problems with IIS Roshen Chandran (Jul 15)
- RE: Problems with IIS Dinis Cruz (Jul 15)
- RE: Problems with IIS Frank Knobbe (Jul 16)
- <Possible follow-ups>
- RE: Problems with IIS sk3tch (Jul 14)
- RE: Problems with IIS Marcelo VillalĆ³n Mendez (Jul 15)
- RE: Problems with IIS Stan Guzik (Jul 16)
- RE: Problems with IIS Dinis Cruz (Aug 11)
- RE: Problems with IIS Andrew van der Stock (Aug 11)