Security Incidents mailing list archives
RE: Help me identify this IIS DoS attack
From: "Alex Boge" <alexb () callitechnic com>
Date: Thu, 17 Oct 2002 10:30:21 -0400
Thanks Tony: I created the SynAttackProtect key and set it to 2 per recommendations and it had no effect whatsoever. That's why I don't think it's really a SynFlood. I'm seeing "ESTABLISHED" connection states, not SYN or SYN_ACK or SYN_WAIT. Alex
-----Original Message----- From: YAO,TONY (HP-NewZealand,ex1) [mailto:tony_yao () hp com] Sent: Thursday, October 17, 2002 12:11 AM To: 'Denis Dimick'; Alex Boge Cc: incidents () securityfocus com Subject: RE: Help me identify this IIS DoS attack There are some registry keys which can be set to deal with network attack. Refer to Microsoft Knowledge Base article Q142641 for more information. http://support.microsoft.com/default.aspx?scid=kb;en-us;Q142641 Tony -----Original Message----- From: Denis Dimick [mailto:denis () dimick net] Sent: Thursday, 17 October 2002 12:03 p.m. To: Alex Boge Cc: incidents () securityfocus com Subject: Re: Help me identify this IIS DoS attack Sounds to me like one of your web sites is the target of a DoS. This would explain why your other servers are not being effected. It also sounds like the attacker is using fake IP's while trying to make the attack. This is explained by the "random" IP's you seeing trying to attach to your server. There is not a whole lot you can do about this, at least from a network side. Most of the "tools" cost a lot of money and are not really that good at stopping this type of attack, IMOA. Maybe one of the Windows admins on the list can help out, as maybe there is some setting to add to the web server to drop the fake connections before the server runs out of resources to serve-up the web pages. Sorry, just a Linux/Apache guy.. Denis On Wed, 16 Oct 2002, Alex Boge wrote:First time poster (forgive any etiquette errors). Situation: Got a NT4 server sitting on about 30 public IPs, IIS4 isrunning smallwebsites on each IP as well as POP3/SMTP mail. As far as I can tell, it's fully patched up. ShavlikHFNetChk tells me I'mas current as can be expected. We've never been hit byanything so muchmore than a few dozen CodeRed attempts. Switched providers recently and suddenly we've beenexperiencing what I'llcall DoS attacks against the IIS4 server. The W2K/IIS5machines on thesame address block are not affected. I cannot determinewhat this attackis or how to deflect it - other than to manually route toNull0 the sourceIPs. Observatation: I know things are amiss when I start getting calls sayingwebsite X is notresponding - usually those that have an .ASP page as theirdefault page.Checking TCPView I can see 100s to 1000s of port 80 "ESTABLISHED" connections all coming from the same source IP. Theconnects are usuallyabout 10-50 to each IP, port 80, on the machine that hostsa web service.Checking IIS logs I see NOTHING at all showing up. CPUutilization isnothing. Memory usage is nothing. The machine is responsiveand all otherservices on the machine work just fine. Bandwidthutilization is nothing.Just 1000s of port 80 "ESTABLISHED" connections. Block the IP and eventually they fall off (or I can close them via TCPView). A few hours later I can unblock the IP and theattacks are gone.I've had about 15 of these in the last 10 days. All comingfrom wildlyrandom outside sources. I've tried to see what's on theother end of thesource IPs and the ones that give me something appear to beIIS boxes.Request: Can someone offer me some directions to look to determinewhat this is andwhat I can do to defeat it? It's amazing to me that for 3years I've beenwith one provider and NEVER had anything like this and inthe 10 dayssince I've switched I'm suddenly flooded. The attacks arenot coming fromwithin the new providers network - they come from anywhere, US to Australia to Europe. Thanks in advance - I hope I posted in the right way to theright place.ab-------------------------------------------------------------- --------------This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com-------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Help me identify this IIS DoS attack Alex Boge (Oct 16)
- Re: Help me identify this IIS DoS attack Denis Dimick (Oct 16)
- RE: Help me identify this IIS DoS attack Bojan Zdrnja (Oct 17)
- RE: Help me identify this IIS DoS attack Bojan Zdrnja (Oct 17)
- <Possible follow-ups>
- RE: Help me identify this IIS DoS attack YAO,TONY (HP-NewZealand,ex1) (Oct 17)
- RE: Help me identify this IIS DoS attack Alex Boge (Oct 17)
- RE: Help me identify this IIS DoS attack Alex Boge (Oct 17)
- Re: Help me identify this IIS DoS attack Denis Dimick (Oct 16)