RE: Problems with IIS

["Dinis Cruz" <dinis () ddplus net>]

Sorry about the delay in replying to this.

IIS 6.0 in W2k3 (when compared to IIS 5.0 in W2k) is better at surviving DoS
attacks due to its new IIS architecture, namely:

  - The new application pools which allow you to create dozen of process to
host your website(s). 
  - The Worker Threads (inside the Application pools)
  - The new HTTPSYS kernel driver which handles all HTTP requests
  - Its improved monitoring features and performance

The main thing is the App Pools which would allow (under attack) to
distribute the affected website in such way that current customers would not
be affected.

For Dos Asp.Net also gives you several methods to identify malicious traffic
(in ASP Classic you would have to use ISAPI)

Unfortunately (or fortunately) I haven't been involved in a real-live DoS
attack, so I don't have code samples to share.

One of the vulnerability tests that I want to add to the SAM'SHE (Security
Analyser for Microsoft's Shared Hosting Environments) Open Source tool that
I am developing at OWASP is DoS vulnerabilities. Hopefully I will be able to
do this over the next couple of months (I will post my results here).

Dinis Cruz
.Net Security Consultant
DDPlus

> -----Original Message-----
> From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga]
> Sent: 16 July 2004 09:07
> To: Dinis Cruz
> Subject: RE: Problems with IIS
>
> Huh, I had a question for you then: is there smth new in Windows 2003 and
> / or in IIS 6.0 which will help us to avoid DOS attacks?
>
>
>
> -----Message d'origine-----
> De : Dinis Cruz [mailto:dinis () ddplus net]
> Envoyé : mercredi 14 juillet 2004 19:02
> À : 'Marcelo Leão Caffaro'; webappsec () lists securityfocus com
> Objet : RE: Problems with IIS
>
> Hello Marcelo
>
> Seems like you are being victim of a Denial of Service attack.
>
> - Are the IPs where the weird request coming from unique? Or during a
> couple of day's period they repeat themselfs
>
> - Are the requests made by these IPs the same as 'normal' requests? (from
> our description seems like they are a little bit different)
>
> - How long does each attack lasts?
>
> - Is upgrading to 2003 and IIS 6.0 a viable option?
>
> - Do you have budget to buy an Application firewall?
>
> Best regards
>
> Dinis Cruz
> .Net Security Consultant
> DDPlus
>
>
>
>
> > -----Original Message-----
> > From: Marcelo Leão Caffaro [mailto:leao () employer com br]
> > Sent: 14 July 2004 11:25
> > To: webappsec () lists securityfocus com
> > Subject: Problems with IIS
> >
> > Hi, i'm a security analyst of a big website, this website work with
> > average 1000 access simultaneous, and my problem is:
> >
> > My server is a IIS5.0 running in Microsoft Windows 2000 Advanced
> > Server...., with 2gb of ram
> >
> > The website work add new curriculum vitae (totally free), search for
> > new jobs oportunities, free, or it the user pay the month plan, the
> > user can see total description of job oportunities. (name of employer,
> > address, etc).
> >
> > The more recent job oportunities are send to vip user .....
> >
> >
> > I see in the last 2 days anormally of number visits of site, after
> > check the log i see one dificult method of attack, this attack working
> > with simultaneous connections, if i check the website database, can i
> > see 30 or 50 querys to website database (ms-sql) , but in log in one
> > second i have more than 30 ips, the log not contain know attack
> > string, unicode, or another iis bug, the log have the url only....
> >
> > My dll host stay with 950 mb and i have dllhost error, after reboot,
> > in one or 2 seconds after network restart, the process cpu is 100%, i
> > think this attack is about many bot making numerous querys in database
> > to decrease the web performance....
> >
> > My question is, how the best way to stop this type of attack?, if a
> > make one session with IP, cookies and reverse dns can i stop this?
> >
> > Anyone can help-me?