Thanks Tony: I created the SynAttackProtect key and set it to 2 per recommendations and it had no effect whatsoever. That's why I don't think it's really a SynFlood. I'm seeing "ESTABLISHED" connection states, not SYN or SYN_ACK or SYN_WAIT. Alex > -----Original Message----- > From: YAO,TONY (HP-NewZealand,ex1) [mailto:tony_yaoat_private] > Sent: Thursday, October 17, 2002 12:11 AM > To: 'Denis Dimick'; Alex Boge > Cc: incidentsat_private > Subject: RE: Help me identify this IIS DoS attack > > > There are some registry keys which can be set to deal with > network attack. > Refer to Microsoft Knowledge Base article Q142641 for more > information. > > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q142641 > > Tony > -----Original Message----- > From: Denis Dimick [mailto:denisat_private] > Sent: Thursday, 17 October 2002 12:03 p.m. > To: Alex Boge > Cc: incidentsat_private > Subject: Re: Help me identify this IIS DoS attack > > > > Sounds to me like one of your web sites is the target of a > DoS. This would > explain why your other servers are not being effected. It > also sounds like > the attacker is using fake IP's while trying to make the > attack. This is > explained by the "random" IP's you seeing trying to attach to > your server. > There is not a whole lot you can do about this, at least from > a network > side. Most of the "tools" cost a lot of money and are not > really that good > at stopping this type of attack, IMOA. > > Maybe one of the Windows admins on the list can help out, as > maybe there > is some setting to add to the web server to drop the fake connections > before the server runs out of resources to serve-up the web pages. > > Sorry, just a Linux/Apache guy.. > > Denis > > On Wed, 16 Oct 2002, Alex Boge wrote: > > > First time poster (forgive any etiquette errors). > > > > Situation: > > Got a NT4 server sitting on about 30 public IPs, IIS4 is > running small > > websites on each IP as well as POP3/SMTP mail. > > > > As far as I can tell, it's fully patched up. Shavlik > HFNetChk tells me I'm > > > as current as can be expected. We've never been hit by > anything so much > > more than a few dozen CodeRed attempts. > > > > Switched providers recently and suddenly we've been > experiencing what I'll > > > call DoS attacks against the IIS4 server. The W2K/IIS5 > machines on the > > same address block are not affected. I cannot determine > what this attack > > is or how to deflect it - other than to manually route to > Null0 the source > > > IPs. > > > > Observatation: > > I know things are amiss when I start getting calls saying > website X is not > > > responding - usually those that have an .ASP page as their > default page. > > > > Checking TCPView I can see 100s to 1000s of port 80 "ESTABLISHED" > > connections all coming from the same source IP. The > connects are usually > > about 10-50 to each IP, port 80, on the machine that hosts > a web service. > > > > Checking IIS logs I see NOTHING at all showing up. CPU > utilization is > > nothing. Memory usage is nothing. The machine is responsive > and all other > > services on the machine work just fine. Bandwidth > utilization is nothing. > > Just 1000s of port 80 "ESTABLISHED" connections. > > > > Block the IP and eventually they fall off (or I can close them via > > TCPView). A few hours later I can unblock the IP and the > attacks are gone. > > > I've had about 15 of these in the last 10 days. All coming > from wildly > > random outside sources. I've tried to see what's on the > other end of the > > source IPs and the ones that give me something appear to be > IIS boxes. > > > > Request: > > Can someone offer me some directions to look to determine > what this is and > > > what I can do to defeat it? It's amazing to me that for 3 > years I've been > > with one provider and NEVER had anything like this and in > the 10 days > > since I've switched I'm suddenly flooded. The attacks are > not coming from > > within the new providers network - they come from anywhere, US to > > Australia to Europe. > > > > Thanks in advance - I hope I posted in the right way to the > right place. > > > > ab > > > > > > > -------------------------------------------------------------- > -------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 09:06:55 PDT