WebApp Sec mailing list archives
Re: Problems with IIS
From: Burak DAYIOGLU <dayioglu () metu edu tr>
Date: Wed, 14 Jul 2004 21:10:43 +0300
Marcelo,It is not always a good idea to share technical details about your infrastructure on public lists; this is generally considered a serious security issue. Try either not sharing so much details or using e-mail addresses that are not linked to your company.
From what you are saying, it seems like a DoS attack (if not an bursty but non-malicious load at all). You may attempt to slow it down by limiting number of concurrent sessions for a particular user, as you have suggested. Using IP as the identifier is not an option on the public Internet; NAT's and proxy-networks are everywhere. Assigning a session-id to the user at the entry and tracking him/her with it using either cookies or (better) with URL parameters is the generally preferred approach for this.
If you are using user authentication you may attempt to limit number of concurrent sessions to a single user account; this may help.
You may try traffic throttling on network equipment as well. Try to gather more data on the attack; sniffer dumps, web server logs and eventlog data may help better understand the nature of the attack.
with regards, -- Burak DAYIOGLU Phone: +90 312 2103379 Fax: +90 312 2101120 (*RENEWED*) http://www.dayioglu.net (*RENEWED*) ICQ UIN: 72276975 Marcelo LeĆ£o Caffaro wrote:
Hi, i'm a security analyst of a big website, this website work with average 1000 access simultaneous, and my problem is: My server is a IIS5.0 running in Microsoft Windows 2000 Advanced Server...., with 2gb of ram The website work add new curriculum vitae (totally free), search for new jobs oportunities, free, or it the user pay the month plan, the user can see total description of job oportunities. (name of employer, address, etc). The more recent job oportunities are send to vip user ..... I see in the last 2 days anormally of number visits of site, after check the log i see one dificult method of attack, this attack working with simultaneous connections, if i check the website database, can i see 30 or 50 querys to website database (ms-sql) , but in log in one second i have more than 30 ips, the log not contain know attack string, unicode, or another iis bug, the log have the url only.... My dll host stay with 950 mb and i have dllhost error, after reboot, in one or 2 seconds after network restart, the process cpu is 100%, i think this attack is about many bot making numerous querys in database to decrease the web performance.... My question is, how the best way to stop this type of attack?, if a make one session with IP, cookies and reverse dns can i stop this? Anyone can help-me?
Current thread:
- Problems with IIS Marcelo Lećo Caffaro (Jul 14)
- Re: Problems with IIS Burak DAYIOGLU (Jul 14)
- Re: Problems with IIS Mark Burnett (Jul 14)
- .NET custom Textbox control Arian J. Evans (Jul 16)
- Re: Problems with IIS Roshen Chandran (Jul 15)
- Re: Problems with IIS Roshen Chandran (Jul 15)
- RE: Problems with IIS Dinis Cruz (Jul 15)
- RE: Problems with IIS Frank Knobbe (Jul 16)
- <Possible follow-ups>
- RE: Problems with IIS sk3tch (Jul 14)
- RE: Problems with IIS Marcelo VillalĆ³n Mendez (Jul 15)
- RE: Problems with IIS Stan Guzik (Jul 16)
- RE: Problems with IIS Dinis Cruz (Aug 11)
(Thread continues...)