Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Problems with IIS

RE: Problems with IIS

From: Dinis Cruz <dinis_at_ddplus.net>
Date: Wed, 14 Jul 2004 19:02:20 +0100

Hello Marcelo

Seems like you are being victim of a Denial of Service attack.

- Are the IPs where the weird request coming from unique? Or during a couple
of day's period they repeat themselfs

- Are the requests made by these IPs the same as 'normal' requests? (from
our description seems like they are a little bit different)

- How long does each attack lasts?

- Is upgrading to 2003 and IIS 6.0 a viable option?

- Do you have budget to buy an Application firewall?

Best regards

Dinis Cruz
.Net Security Consultant
DDPlus

> -----Original Message-----
> From: Marcelo Lećo Caffaro [mailto:leao_at_employer.com.br]
> Sent: 14 July 2004 11:25
> To: webappsec_at_lists.securityfocus.com
> Subject: Problems with IIS
>
> Hi, i'm a security analyst of a big website, this website work with
> average
> 1000 access simultaneous, and my problem is:
>
> My server is a IIS5.0 running in Microsoft Windows 2000 Advanced
> Server....,
> with 2gb of ram
>
> The website work add new curriculum vitae (totally free), search for new
> jobs oportunities, free, or
> it the user pay the month plan, the user can see total description of job
> oportunities. (name of employer, address, etc).
>
> The more recent job oportunities are send to vip user .....
>
>
> I see in the last 2 days anormally of number visits of site, after check
> the
> log i see one dificult method of attack, this attack working
> with simultaneous connections, if i check the website database, can i see
> 30
> or 50 querys to website database (ms-sql) , but in log in one second i
> have
> more than
> 30 ips, the log not contain know attack string, unicode, or another iis
> bug,
> the log have the url only....
>
> My dll host stay with 950 mb and i have dllhost error, after reboot, in
> one
> or 2 seconds after network restart, the process cpu is 100%, i think this
> attack is about many
> bot making numerous querys in database to decrease the web performance....
>
> My question is, how the best way to stop this type of attack?, if a make
> one
> session with IP, cookies and reverse dns can i stop this?
>
> Anyone can help-me?
>
>
>
Received on Jul 16 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]