RE: Problems with IIS

["Stan Guzik" <SGuzik () ImmediaTech com>]

These symptoms also seem like application issues.  In component services find the dll host that is taking up the 950mb 
of memory.  Then click on the Status view to see how many components are activated.  If this number is about <= 1,000 
then you're probably not under a DDOS attach and it's an application issue. 

If this number is extremely high you may be under attach or you have a poorly written application.  I my experience a 
well written application like your should only take about 50mb of memory.

Also check the IIS and ASP performance counters.  Check your ASP request queue.  If it is high you may be running into 
blocking.  The blocking may occur because of the SQL queries are taking a long time.  Therefore also look for 
locking/blocking on the ms-sql server.

In addition to checking the application, check your network usage patterns.  If the usage patters have not changed in 
the past few months then its most like an app issue.  If you see high network traffic when the CPU and memory jump then 
you may be under attach.

-----Original Message-----
From: sk3tch () sk3tch net [mailto:sk3tch () sk3tch net] 
Sent: Wednesday, July 14, 2004 1:37 PM
To: leao () employer com br; webappsec () lists securityfocus com
Subject: RE: Problems with IIS

Have you verified with your developers that no new code updates have
been pushed to production in the last few days?  These symptoms are very
similar to "normal" issues with flaky COM+ components...dllhost eating
CPU and using tons of memory.  Also, if you have 1,000 connections at
any one time, dllhost using that amount of memory is relatively normal
depending on what everyone is doing.
 
In my experience, issues with dllhost spiraling out of control relate to
an application issue most of the time.  In one case, it ended up being
an issue with a database query that a developer had pushed out.  Since
it didn't have adequate paramenters to "control" it - users were pulling
ENTIRE record sets instead of being limited to a smaller subset at a
time.
 
If you're still determined it is an attack, you can try deploying
URLScan for a period of time and then analyzing what it catches.
Alternatively, (as you've already done) comb your IIS logs consistently.

________________________________

From: Marcelo LeĆ£o Caffaro [mailto:leao () employer com br]
Sent: Wed 7/14/2004 6:25 AM
To: webappsec () lists securityfocus com
Subject: Problems with IIS


<snip>
I see in the last 2 days anormally of number visits of site, after check
the
log i see one dificult method of attack, this attack working
with simultaneous connections, if i check the website database, can i
see 30
or 50 querys to website database (ms-sql) , but in log in one second i
have
more than
30 ips, the log not contain know attack string, unicode, or another iis
bug,
the log have the url only....

My dll host stay with 950 mb and i have dllhost error, after reboot, in
one
or 2 seconds after network restart, the process cpu is 100%, i think
this
attack is about many
bot making numerous querys in database to decrease the web
performance....
<snip>