> -----Original Message----- > From: Denis Dimick [mailto:denisat_private] > Sent: 17. listopad 2002 1:03 > To: Alex Boge > Cc: incidentsat_private > Subject: Re: Help me identify this IIS DoS attack > > > > Sounds to me like one of your web sites is the target of a DoS. This would > explain why your other servers are not being effected. It also sounds like > the attacker is using fake IP's while trying to make the attack. This is > explained by the "random" IP's you seeing trying to attach to your server. I don't think they are using fake IPs. As Alex said, he can see that connections are established. If attacher used fake IPs he would have to spoof entire 3-way handshake which is much more complicated thing to do than simple SYN-flood, in which you usually use faked IPs. > There is not a whole lot you can do about this, at least from a network > side. Most of the "tools" cost a lot of money and are not really that good > at stopping this type of attack, IMOA. Smart firewall should stop this after some threshold from single IP is reached. > Maybe one of the Windows admins on the list can help out, as maybe there > is some setting to add to the web server to drop the fake connections > before the server runs out of resources to serve-up the web pages. As I said, I think those are legitimate connections. Maybe he can only limit number of connections coming from same IP (which is also not the best thing to do as IP can be proxy which some organization can use). Best regards, Bojan Zdrnja ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 09:16:17 PDT