Re: Problems with IIS

[Mark Burnett <mb () xato net>]

The best way to stop this attack is to find out exactly what is 
happening. Turn on full logging or use a packet sniffer if necessary.

You might be able to do some things to make your application more 
resistant to an attacker using multiple proxies, but most anything you 
do can be circumvented. 


Mark Burnett

Hacking the Code: ASP.NET Web Application Security 
www.hackingthecode.com




On Wed, 14 Jul 2004 08:25:10 -0300, Marcelo LeĆ£o Caffaro wrote:
> Hi, i'm a security analyst of a big website, this website work with
> average 1000 access simultaneous, and my problem is:
>
> My server is a IIS5.0 running in Microsoft Windows 2000 Advanced
> Server...., with 2gb of ram
>
> The website work add new curriculum vitae (totally free), search
> for new jobs oportunities, free, or
> it the user pay the month plan, the user can see total description
> of job oportunities. (name of employer, address, etc).
>
> The more recent job oportunities are send to vip user .....
>
>
> I see in the last 2 days anormally of number visits of site, after
> check the log i see one dificult method of attack, this attack
> working with simultaneous connections, if i check the website
> database, can i see 30 or 50 querys to website database (ms-sql) ,
> but in log in one second i have more than
> 30 ips, the log not contain know attack string, unicode, or another
> iis bug, the log have the url only....
>
> My dll host stay with 950 mb and i have dllhost error, after
> reboot, in one or 2 seconds after network restart, the process cpu
> is 100%, i think this attack is about many
> bot making numerous querys in database to decrease the web
> performance....
>
>
> My question is, how the best way to stop this type of attack?, if a
> make one session with IP, cookies and reverse dns can i stop this?
>
> Anyone can help-me?