Help me identify this IIS DoS attack

From: Alex Boge (alexbat_private)
Date: Wed Oct 16 2002 - 14:27:57 PDT

Next message: Hugo van der Kooij: "Re: Cacheflow proxy abuse (was: no subject)"

Previous message: cory: "Re: apache problem"
Next in thread: Denis Dimick: "Re: Help me identify this IIS DoS attack"
Reply: Denis Dimick: "Re: Help me identify this IIS DoS attack"
Reply: YAO,TONY (HP-NewZealand,ex1): "RE: Help me identify this IIS DoS attack"
Reply: Bojan Zdrnja: "RE: Help me identify this IIS DoS attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

First time poster (forgive any etiquette errors). 

Situation: 
Got a NT4 server sitting on about 30 public IPs, IIS4 is running small 
websites on each IP as well as POP3/SMTP mail. 

As far as I can tell, it's fully patched up. Shavlik HFNetChk tells me I'm 
as current as can be expected. We've never been hit by anything so much 
more than a few dozen CodeRed attempts. 

Switched providers recently and suddenly we've been experiencing what I'll 
call DoS attacks against the IIS4 server. The W2K/IIS5 machines on the 
same address block are not affected. I cannot determine what this attack 
is or how to deflect it - other than to manually route to Null0 the source 
IPs. 

Observatation: 
I know things are amiss when I start getting calls saying website X is not 
responding - usually those that have an .ASP page as their default page. 

Checking TCPView I can see 100s to 1000s of port 80 "ESTABLISHED" 
connections all coming from the same source IP. The connects are usually 
about 10-50 to each IP, port 80, on the machine that hosts a web service. 

Checking IIS logs I see NOTHING at all showing up. CPU utilization is 
nothing. Memory usage is nothing. The machine is responsive and all other 
services on the machine work just fine. Bandwidth utilization is nothing. 
Just 1000s of port 80 "ESTABLISHED" connections. 

Block the IP and eventually they fall off (or I can close them via 
TCPView). A few hours later I can unblock the IP and the attacks are gone. 
I've had about 15 of these in the last 10 days. All coming from wildly 
random outside sources. I've tried to see what's on the other end of the 
source IPs and the ones that give me something appear to be IIS boxes. 

Request: 
Can someone offer me some directions to look to determine what this is and 
what I can do to defeat it? It's amazing to me that for 3 years I've been 
with one provider and NEVER had anything like this and in the 10 days 
since I've switched I'm suddenly flooded. The attacks are not coming from 
within the new providers network - they come from anywhere, US to 
Australia to Europe. 

Thanks in advance - I hope I posted in the right way to the right place. 

ab 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Hugo van der Kooij: "Re: Cacheflow proxy abuse (was: no subject)"
Previous message: cory: "Re: apache problem"
Next in thread: Denis Dimick: "Re: Help me identify this IIS DoS attack"
Reply: Denis Dimick: "Re: Help me identify this IIS DoS attack"
Reply: YAO,TONY (HP-NewZealand,ex1): "RE: Help me identify this IIS DoS attack"
Reply: Bojan Zdrnja: "RE: Help me identify this IIS DoS attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 15:44:58 PDT