Re: Is this a Denial of Service (DOS) attack on the Internet Information Services (IIS) Web Server?

[wkitty42--- via Snort-users <snort-users () lists snort org>]

On 11/1/18 6:26 AM, Turritopsis Dohrnii Teo En Ming wrote:
> Since 13 October 2018, their IIS web server logs have grown extremely huge
> (465 Gigabytes to-date) and completely filled up the entire C:\ drive,
> leaving it without any free space. Nobody can access any web application
> now. >
> Is this characteristic or symptom of a Denial of Service (DOS) attack?


possibly but no one can tell with the minuscule amount of information given... 
it is quite possible that their system's log rotation services have not been 
running for some reason... if that's the case, fixing that would be part of the 
solution...


> Should I advise the client to turn on Intrusion Prevention System (IPS) and
> Flood Protection and enable Geo-IP Filter and Botnet Filter at the
> firewall/network security appliance level to mitigate DOS attacks?

IMPO, that's up to you and your company if you want or even can support them in 
that function... your company may not want to take on that additional risk... 
instead of adding more logs, one should look at the existing logs and determine 
from them what is going on before "adding more wood to the fire"... that's where 
i'd start...


--
 NOTE: No off-list assistance is given without prior approval.
       *Please keep mailing list traffic on the list unless*
       *a signed and pre-paid contract is in effect with us.*
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette