Security Incidents mailing list archives
RE: Help me identify this IIS DoS attack
From: "Alex Boge" <alexb () callitechnic com>
Date: Thu, 17 Oct 2002 10:31:53 -0400
Hi: Well, according to my TCP monitor they do not appear to be coming from within the box. This box is regularly scanned against virus infection but obviously something could have slipped in under the radar. HOWEVER, something you wrote is got me thinking. Our previous provider had the router setup to block all port 137, 138, 139 traffic in both directions - this provider does not have these ports blocked. I'm going to do this and see what happens. THANKS! Alex
-----Original Message----- From: Marty Richards [mailto:marty () netwaynetworks com au] Sent: Thursday, October 17, 2002 12:48 AM To: 'alexb () callitechnic com' Subject: RE: Help me identify this IIS DoS attack Hi Alex, That behaviour sounds like a compromise - are you sure the connections aren't originating from your box? Probably worth checking in the directories under inetpub for unusual files... also check /temp and /recycled... Also, is it possible your last provider was blocking ports 135 -> 139 at their routers or something? You should have seen lots more than code red in the last few years. Cheers, Marty-----Original Message----- From: Alex Boge [mailto:alexb () callitechnic com] Sent: Thursday, October 17, 2002 7:28 AM To: incidents () securityfocus com Subject: Help me identify this IIS DoS attack First time poster (forgive any etiquette errors). Situation: Got a NT4 server sitting on about 30 public IPs, IIS4 is running small websites on each IP as well as POP3/SMTP mail. As far as I can tell, it's fully patched up. Shavlik HFNetChk tells me I'm as current as can be expected. We've never been hit by anything so much more than a few dozen CodeRed attempts. Switched providers recently and suddenly we've been experiencing what I'll call DoS attacks against the IIS4 server. The W2K/IIS5 machines on the same address block are not affected. I cannot determine what this attack is or how to deflect it - other than to manually route to Null0 the source IPs. Observatation: I know things are amiss when I start getting calls saying website X is not responding - usually those that have an .ASP page as their default page. Checking TCPView I can see 100s to 1000s of port 80 "ESTABLISHED" connections all coming from the same source IP. The connects are usually about 10-50 to each IP, port 80, on the machine that hosts a web service. Checking IIS logs I see NOTHING at all showing up. CPUutilization isnothing. Memory usage is nothing. The machine is responsive and all other services on the machine work just fine. Bandwidth utilization is nothing. Just 1000s of port 80 "ESTABLISHED" connections. Block the IP and eventually they fall off (or I can close them via TCPView). A few hours later I can unblock the IP and the attacks are gone. I've had about 15 of these in the last 10 days. All coming from wildly random outside sources. I've tried to see what's on the other end of the source IPs and the ones that give me something appear to be IIS boxes. Request: Can someone offer me some directions to look to determine what this is and what I can do to defeat it? It's amazing to me that for 3 years I've been with one provider and NEVER had anything like this and inthe 10 dayssince I've switched I'm suddenly flooded. The attacks are not coming from within the new providers network - they come from anywhere, US to Australia to Europe. Thanks in advance - I hope I posted in the right way to the right place. ab -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.comNetway Networks Pty Ltd (T) 8920 8877 (F) 8920 8866
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Help me identify this IIS DoS attack Alex Boge (Oct 16)
- Re: Help me identify this IIS DoS attack Denis Dimick (Oct 16)
- RE: Help me identify this IIS DoS attack Bojan Zdrnja (Oct 17)
- RE: Help me identify this IIS DoS attack Bojan Zdrnja (Oct 17)
- <Possible follow-ups>
- RE: Help me identify this IIS DoS attack YAO,TONY (HP-NewZealand,ex1) (Oct 17)
- RE: Help me identify this IIS DoS attack Alex Boge (Oct 17)
- RE: Help me identify this IIS DoS attack Alex Boge (Oct 17)
- Re: Help me identify this IIS DoS attack Denis Dimick (Oct 16)