Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Problems with IIS

Re: Problems with IIS

From: Burak DAYIOGLU <dayioglu_at_metu.edu.tr>
Date: Wed, 14 Jul 2004 21:10:43 +0300

Marcelo,
It is not always a good idea to share technical details about your
infrastructure on public lists; this is generally considered a serious
security issue. Try either not sharing so much details or using e-mail
addresses that are not linked to your company.

 From what you are saying, it seems like a DoS attack (if not an bursty
but non-malicious load at all). You may attempt to slow it down by
limiting number of concurrent sessions for a particular user, as you
have suggested. Using IP as the identifier is not an option on the
public Internet; NAT's and proxy-networks are everywhere. Assigning a
session-id to the user at the entry and tracking him/her with it using
either cookies or (better) with URL parameters is the generally
preferred approach for this.

If you are using user authentication you may attempt to limit number of
concurrent sessions to a single user account; this may help.

You may try traffic throttling on network equipment as well. Try to
gather more data on the attack; sniffer dumps, web server logs and
eventlog data may help better understand the nature of the attack.

with regards, 

-- 
Burak DAYIOGLU
Phone: +90 312 2103379                            Fax: +90 312 2101120
(*RENEWED*) http://www.dayioglu.net (*RENEWED*)   ICQ UIN: 72276975
Marcelo Lećo Caffaro wrote:
> Hi, i'm a security analyst of a big website, this website work with average
> 1000 access simultaneous, and my problem is:
> 
> My server is a IIS5.0 running in Microsoft Windows 2000 Advanced Server....,
> with 2gb of ram
> 
> The website work add new curriculum vitae (totally free), search for new
> jobs oportunities, free, or
> it the user pay the month plan, the user can see total description of job
> oportunities. (name of employer, address, etc).
> 
> The more recent job oportunities are send to vip user .....
> 
> 
> I see in the last 2 days anormally of number visits of site, after check the
> log i see one dificult method of attack, this attack working
> with simultaneous connections, if i check the website database, can i see 30
> or 50 querys to website database (ms-sql) , but in log in one second i have
> more than
> 30 ips, the log not contain know attack string, unicode, or another iis bug,
> the log have the url only....
> 
> My dll host stay with 950 mb and i have dllhost error, after reboot, in one
> or 2 seconds after network restart, the process cpu is 100%, i think this
> attack is about many
> bot making numerous querys in database to decrease the web performance....
> 
> My question is, how the best way to stop this type of attack?, if a make one
> session with IP, cookies and reverse dns can i stop this?
> 
> Anyone can help-me?
Received on Jul 15 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]