Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

RE: Help me identify this IIS DoS attack
From: "Alex Boge" <alexb () callitechnic com>
Date: Thu, 17 Oct 2002 10:30:21 -0400
Thanks Tony:

I created the SynAttackProtect key and set it to 2 per recommendations
and it had no effect whatsoever. That's why I don't think it's really a
SynFlood. I'm seeing "ESTABLISHED" connection states, not SYN or SYN_ACK
or SYN_WAIT.

Alex


-----Original Message-----
From: YAO,TONY (HP-NewZealand,ex1) [mailto:tony_yao () hp com] 
Sent: Thursday, October 17, 2002 12:11 AM
To: 'Denis Dimick'; Alex Boge
Cc: incidents () securityfocus com
Subject: RE: Help me identify this IIS DoS attack


There are some registry keys which can be set to deal with 
network attack.
Refer to Microsoft Knowledge Base article Q142641 for more 
information.

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q142641

Tony
-----Original Message-----
From: Denis Dimick [mailto:denis () dimick net]
Sent: Thursday, 17 October 2002 12:03 p.m.
To: Alex Boge
Cc: incidents () securityfocus com
Subject: Re: Help me identify this IIS DoS attack



Sounds to me like one of your web sites is the target of a 
DoS. This would 
explain why your other servers are not being effected. It 
also sounds like 
the attacker is using fake IP's while trying to make the 
attack. This is 
explained by the "random" IP's you seeing trying to attach to 
your server. 
There is not a whole lot you can do about this, at least from 
a network 
side. Most of the "tools" cost a lot of money and are not 
really that good 
at stopping this type of attack, IMOA.

 Maybe one of the Windows admins on the list can help out, as 
maybe there 
is some setting to add to the web server to drop the fake connections 
before the server runs out of resources to serve-up the web pages. 

Sorry, just a Linux/Apache guy..

Denis

On Wed, 16 Oct 2002, Alex Boge wrote:


First time poster (forgive any etiquette errors). 

Situation: 
Got a NT4 server sitting on about 30 public IPs, IIS4 is 

running small 

websites on each IP as well as POP3/SMTP mail. 

As far as I can tell, it's fully patched up. Shavlik 

HFNetChk tells me I'm


as current as can be expected. We've never been hit by 

anything so much 

more than a few dozen CodeRed attempts. 

Switched providers recently and suddenly we've been 

experiencing what I'll


call DoS attacks against the IIS4 server. The W2K/IIS5 

machines on the 

same address block are not affected. I cannot determine 

what this attack 

is or how to deflect it - other than to manually route to 

Null0 the source


IPs. 

Observatation: 
I know things are amiss when I start getting calls saying 

website X is not


responding - usually those that have an .ASP page as their 

default page. 


Checking TCPView I can see 100s to 1000s of port 80 "ESTABLISHED" 
connections all coming from the same source IP. The 

connects are usually 

about 10-50 to each IP, port 80, on the machine that hosts 

a web service. 


Checking IIS logs I see NOTHING at all showing up. CPU 

utilization is 

nothing. Memory usage is nothing. The machine is responsive 

and all other 

services on the machine work just fine. Bandwidth 

utilization is nothing. 

Just 1000s of port 80 "ESTABLISHED" connections. 

Block the IP and eventually they fall off (or I can close them via 
TCPView). A few hours later I can unblock the IP and the 

attacks are gone.


I've had about 15 of these in the last 10 days. All coming 

from wildly 

random outside sources. I've tried to see what's on the 

other end of the 

source IPs and the ones that give me something appear to be 

IIS boxes. 


Request: 
Can someone offer me some directions to look to determine 

what this is and


what I can do to defeat it? It's amazing to me that for 3 

years I've been 

with one provider and NEVER had anything like this and in 

the 10 days 

since I've switched I'm suddenly flooded. The attacks are 

not coming from 

within the new providers network - they come from anywhere, US to 
Australia to Europe. 

Thanks in advance - I hope I posted in the right way to the 

right place. 


ab 




--------------------------------------------------------------
--------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com




--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]