I'm cross posting this, as, it certainly qualifies as an incident. We also had this exact problem over the weekend. After reading your post, I contacted a friend how's network is (logically) close to ours. He indicated that the same problem occurred on thier nets. I can't speak for his machines, but ours are fully up to current patch levels. I think something sneaky may be afoot. We're going to start doing an in-depth analysis of our logs. Has anyone else seen this type of behavior? If we find anything in our logs I'll follow up. > -----Original Message----- > From: Kledi [mailto:klediat_private] > Sent: Sunday, November 11, 2001 2:25 PM > To: > Subject: Strange IIS behavior, > > > Hello, > > I am a sysadm for an Internet provider, most of our systems > are running > linux, but we have an NT box because some customers require > ASP. In the last > couple of days, apparently we are experiencing some DoS > attacks, and it seems > hard to figure out where these come from. > > What happens is that IIS keeps running, but port 80 does not > remain open any > more. If I restart IIS, with the network cable attached, port > 80 will remain > open, and I would be able to connect to it (localy). Another > test I did was I > disabled our internet connection interfaces on the main routers, and > restarted IIS, and it did not stop responding. My suspection > is some kind of > a DoS attack, but even looking at all the logs of the > connections to our > webserver, I do not see any specific host or network that is > connecting to > the server frequently. > > Any suggestions? > > Best Regards, > Kledi > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 09:32:32 PST