RE: Help me identify this IIS DoS attack

["Alex Boge" <alexb () callitechnic com>]

Thanks Tony:

I created the SynAttackProtect key and set it to 2 per recommendations
and it had no effect whatsoever. That's why I don't think it's really a
SynFlood. I'm seeing "ESTABLISHED" connection states, not SYN or SYN_ACK
or SYN_WAIT.

Alex

> -----Original Message-----
> From: YAO,TONY (HP-NewZealand,ex1) [mailto:tony_yao () hp com] 
> Sent: Thursday, October 17, 2002 12:11 AM
> To: 'Denis Dimick'; Alex Boge
> Cc: incidents () securityfocus com
> Subject: RE: Help me identify this IIS DoS attack
>
>
> There are some registry keys which can be set to deal with 
> network attack.
> Refer to Microsoft Knowledge Base article Q142641 for more 
> information.
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q142641
>
> Tony
> -----Original Message-----
> From: Denis Dimick [mailto:denis () dimick net]
> Sent: Thursday, 17 October 2002 12:03 p.m.
> To: Alex Boge
> Cc: incidents () securityfocus com
> Subject: Re: Help me identify this IIS DoS attack
>
>
>
> Sounds to me like one of your web sites is the target of a 
> DoS. This would 
> explain why your other servers are not being effected. It 
> also sounds like 
> the attacker is using fake IP's while trying to make the 
> attack. This is 
> explained by the "random" IP's you seeing trying to attach to 
> your server. 
> There is not a whole lot you can do about this, at least from 
> a network 
> side. Most of the "tools" cost a lot of money and are not 
> really that good 
> at stopping this type of attack, IMOA.
>
>  Maybe one of the Windows admins on the list can help out, as 
> maybe there 
> is some setting to add to the web server to drop the fake connections 
> before the server runs out of resources to serve-up the web pages. 
>
> Sorry, just a Linux/Apache guy..
>
> Denis
>
> On Wed, 16 Oct 2002, Alex Boge wrote:
>
> > First time poster (forgive any etiquette errors). 
> >
> > Situation: 
> > Got a NT4 server sitting on about 30 public IPs, IIS4 is 
> running small 
> > websites on each IP as well as POP3/SMTP mail. 
> >
> > As far as I can tell, it's fully patched up. Shavlik 
> HFNetChk tells me I'm
>
> > as current as can be expected. We've never been hit by 
> anything so much 
> > more than a few dozen CodeRed attempts. 
> >
> > Switched providers recently and suddenly we've been 
> experiencing what I'll
>
> > call DoS attacks against the IIS4 server. The W2K/IIS5 
> machines on the 
> > same address block are not affected. I cannot determine 
> what this attack 
> > is or how to deflect it - other than to manually route to 
> Null0 the source
>
> > IPs. 
> >
> > Observatation: 
> > I know things are amiss when I start getting calls saying 
> website X is not
>
> > responding - usually those that have an .ASP page as their 
> default page. 
> > Checking TCPView I can see 100s to 1000s of port 80 "ESTABLISHED" 
> > connections all coming from the same source IP. The 
> connects are usually 
> > about 10-50 to each IP, port 80, on the machine that hosts 
> a web service. 
> > Checking IIS logs I see NOTHING at all showing up. CPU 
> utilization is 
> > nothing. Memory usage is nothing. The machine is responsive 
> and all other 
> > services on the machine work just fine. Bandwidth 
> utilization is nothing. 
> > Just 1000s of port 80 "ESTABLISHED" connections. 
> >
> > Block the IP and eventually they fall off (or I can close them via 
> > TCPView). A few hours later I can unblock the IP and the 
> attacks are gone.
>
> > I've had about 15 of these in the last 10 days. All coming 
> from wildly 
> > random outside sources. I've tried to see what's on the 
> other end of the 
> > source IPs and the ones that give me something appear to be 
> IIS boxes. 
> > Request: 
> > Can someone offer me some directions to look to determine 
> what this is and
>
> > what I can do to defeat it? It's amazing to me that for 3 
> years I've been 
> > with one provider and NEVER had anything like this and in 
> the 10 days 
> > since I've switched I'm suddenly flooded. The attacks are 
> not coming from 
> > within the new providers network - they come from anywhere, US to 
> > Australia to Europe. 
> >
> > Thanks in advance - I hope I posted in the right way to the 
> right place. 
> > ab 
> --------------------------------------------------------------
> --------------
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management 
> > and tracking system please see: http://aris.securityfocus.com
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com