WebApp Sec mailing list archives

Re: Problems with IIS

From: Roshen Chandran <roshen.chandran () paladion net>
Date: Wed, 14 Jul 2004 11:50:27 -0700

Marcelo, this is interesting... please help us understand your problem
better.

1.  Are your logs showing the same 30 IPs hitting your site each second?
Or is the total number of IPs much higher?

2.  Are different pages being requested? Or is it the same page being
hit again and again?

3. Are any of the pages that require login being accessed by the
attacker/bot/suspect, according to your access logs?

4. Are you seeing any outgoing connections from the web server?

Thanks!
-Roshen.


Roshen Chandran
Paladion Networks
http://www.paladion.net

-------We are recruiting. Please visit http://www.paladion.net/careers
for more details. -------



Marcelo LeÃ£o Caffaro wrote:

Hi, i'm a security analyst of a big website, this website work with average
1000 access simultaneous, and my problem is:

My server is a IIS5.0 running in Microsoft Windows 2000 Advanced Server....,
with 2gb of ram

The website work add new curriculum vitae (totally free), search for new
jobs oportunities, free, or
it the user pay the month plan, the user can see total description of job
oportunities. (name of employer, address, etc).

The more recent job oportunities are send to vip user .....


I see in the last 2 days anormally of number visits of site, after check the
log i see one dificult method of attack, this attack working
with simultaneous connections, if i check the website database, can i see 30
or 50 querys to website database (ms-sql) , but in log in one second i have
more than
30 ips, the log not contain know attack string, unicode, or another iis bug,
the log have the url only....

My dll host stay with 950 mb and i have dllhost error, after reboot, in one
or 2 seconds after network restart, the process cpu is 100%, i think this
attack is about many
bot making numerous querys in database to decrease the web performance....

My question is, how the best way to stop this type of attack?, if a make one
session with IP, cookies and reverse dns can i stop this?

Anyone can help-me?

Current thread:

Problems with IIS Marcelo Leão Caffaro (Jul 14)
- Re: Problems with IIS Burak DAYIOGLU (Jul 14)
- Re: Problems with IIS Mark Burnett (Jul 14)
  - .NET custom Textbox control Arian J. Evans (Jul 16)
- Re: Problems with IIS Roshen Chandran (Jul 15)
- Re: Problems with IIS Roshen Chandran (Jul 15)
- RE: Problems with IIS Dinis Cruz (Jul 15)
  - RE: Problems with IIS Frank Knobbe (Jul 16)
- <Possible follow-ups>
- RE: Problems with IIS sk3tch (Jul 14)
- RE: Problems with IIS Marcelo VillalÃ³n Mendez (Jul 15)
- RE: Problems with IIS Stan Guzik (Jul 16)
- RE: Problems with IIS Dinis Cruz (Aug 11)
  - RE: Problems with IIS Andrew van der Stock (Aug 11)