RE: Help me identify this IIS DoS attack

["Bojan Zdrnja" <Bojan.Zdrnja () FER hr>]

> -----Original Message-----
> From: Denis Dimick [mailto:denis () dimick net]
> Sent: 17. listopad 2002 1:03
> To: Alex Boge
> Cc: incidents () securityfocus com
> Subject: Re: Help me identify this IIS DoS attack
>
>
>
> Sounds to me like one of your web sites is the target of a DoS. This would
> explain why your other servers are not being effected. It also sounds like
> the attacker is using fake IP's while trying to make the attack. This is
> explained by the "random" IP's you seeing trying to attach to your server.

I don't think they are using fake IPs. As Alex said, he can see that
connections are established. If attacher used fake IPs he would have to
spoof entire 3-way handshake which is much more complicated thing to do than
simple SYN-flood, in which you usually use faked IPs.

> There is not a whole lot you can do about this, at least from a network
> side. Most of the "tools" cost a lot of money and are not really that good
> at stopping this type of attack, IMOA.

Smart firewall should stop this after some threshold from single IP is
reached.

>  Maybe one of the Windows admins on the list can help out, as maybe there
> is some setting to add to the web server to drop the fake connections
> before the server runs out of resources to serve-up the web pages.

As I said, I think those are legitimate connections. Maybe he can only limit
number of connections coming from same IP (which is also not the best thing
to do as IP can be proxy which some organization can use).

Best regards,

Bojan Zdrnja


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com