Solved

IIS web log: Downloading files = Denial of Service?

Posted on 2002-03-07
10
243 Views
Last Modified: 2010-04-11
I've recently been going through my IIS 5 web log files.  I have a Windows 2000 dedicated server, which is primarily a shareware download server (I am a shareware author).  I've noticed that one of my least popular programs happens to be the target of a HUGE, VERY HUGE downloading binge.  In fact, the tremendous number of downloads of this very unpopular program appears to be a denial of service attack.  This unpopular program is over 1mb in size, and within a 90 second interval, this unpopular program is getting "hit" (downloaded) 50+ times!  And when I reverse lookup the IP addresses that are downloading this file, I see that the majority of them can be traced from outside the USA.  Mostly from England and Europe.   Can anyone figure out how 50+ servers from around the world can all decide to download my least popular program all within a 2 minute period?  And as I review my web logs, this type of "blizzard of downloads" keeps reoccurring several times each day, but always the same filename is being downloaded, and always within a 2 minute window.

You can see a snippet of the Web log in question at: http://64.26.9.66/temp/attack.htm   (I have changed my real IP address with 1.2.3.4 in the online sample.

Any idea how this could be occuring, and what I can do to stop this?

There are two other EXEs (downloadable shareware programs) that are also being "hit" in a similar 2 minute barrage of downloads that I can see in the LOG files.  It's as if there are zombie machines out there, hardcoded with attack software specifically trying to target my website, and all set to "go off" (attack) in sync.
0
Comment
Question by:Kapusta
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
10 Comments
 

Author Comment

by:Kapusta
ID: 6849439
Note: If you visit the URL above ( http://64.26.9.66/temp/attack.htm) ...please note that I replaced my actual domain name with the bogus
"my-domain.com" for privacy reasons.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6861809
Think of HP's OpenView and how it was so nice and easy and free. There's first guess. I'll be back to read more, could prove interesting.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6863039
(some,,per Sam Spade:)
Trying whois -h whois.arin.net 65.33.10.170
Road Runner-Southeast (NETBLK-ROADRUNNER-SOUTHEAST)
   13241 Woodland Park Road
   Herndon, VA 20171
   US
   Netname: ROADRUNNER-SOUTHEAST
   Netblock: 65.32.0.0 - 65.34.31.255
   Maintainer: RRSE
   Coordinator:
      ServiceCo LLC  (ZS30-ARIN)  abuse@rr.com
Trying whois -h whois.arin.net 205.144.226.29
Mississippi Department of Transportation (NETBLK-MSDOT)
   301 North Lamar St.
   301 Building, Suite 508
   Jackson, MS 39201
   US
   Netname: MSDOT
   Netblock: 205.144.224.0 - 205.144.239.255
   Coordinator:
      Martin, John  (JM82-ARIN)  martin@MARTIN.ITS.STATE.MS.US
Trying whois -h whois.arin.net 24.168.48.24
ServiceCo LLC - Road Runner (NET-ROAD-RUNNER-5)
   13241 Woodland Park Road
   Herndon, VA 20171
   US
   Netname: ROAD-RUNNER-5
   Netblock: 24.160.0.0 - 24.170.127.255
   Maintainer: SCRR
   Coordinator:
      ServiceCo LLC  (ZS30-ARIN)  abuse@rr.com
      1-703-345-3416
Trying whois -h whois.arin.net 38.139.36.109
Performance Systems International (NET-PSINETA)
   510 Huntmar Park Drive
          Herndon, VA  22070
   US
   Netname: PSINETA
   Netblock: 38.0.0.0 - 38.255.255.255
   Maintainer: PSI
   Coordinator:
      PSINet, Inc.  (PSI-NISC-ARIN)  hostinfo@PSI.COM
Trying whois -h whois.arin.net 63.25.249.86
UUNET Technologies, Inc. (NETBLK-NETBLK-UUNET97DU)
   3060 Williams Drive, Suite 601
   Fairfax, va 22031
   US
   Netname: NETBLK-UUNET97DU
   Netblock: 63.0.0.0 - 63.63.255.255
   Maintainer: UUDA
   Coordinator:
      UUNET, Technical Support  (OA12-ARIN)  help@uu.net
Trying whois -h whois.arin.net 172.165.109.205
America Online, Inc. (NETBLK-AOL-172BLK)
   12100 Sunrise Valley Drive
   Reston, VA 20191
   US
   Netname: AOL-172BLK
   Netblock: 172.128.0.0 - 172.191.255.255
   Maintainer: AOL
   Coordinator:
      America Online, Inc.  (AOL-NOC-ARIN)  domains@AOL.NET
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 24

Expert Comment

by:SunBow
ID: 6863043
<heh> Hadn't noticed before, cute eMail ID for coordinator... kinda says something, huh?:

                          abuse@rr.com
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6863076
One should not be too hasty about jumping to conclusion. But while I am no real expert on all the details, I do lean towards agreeing with your choice of labels attack.htm, changing of your personal info (address etc), as if there are zombie machines out there, getting "hit"; but not (yet) with: blizzard, binge, denial of service. If you can:

> I see that the majority of them can be traced

then I suggest you get onto some of the websites that run checks against your machine to provide simple security validations, and recheck your being up-to-date with latest upgrades for ALL services on your box(es) on the network.

But first let us be kind to the whomsoever
  -(more)-
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6863197
OpenView, you may recall, had initially dealt with making connectivity a visual experience on the cheap.

Nowadays there are several web based initiatives to try to provide graphic display of how well packets are flowing around the world. So let us first explore possibility there was honorable intention in accessing your site. And as humans, we make mistake. Possibly, you hit on such a site and inadvertently offered yours as a willing participant in the global effort for such analysis.

Often, such sites do honorable opt-in choice. Meaning you knowingly volunteer. You lose some cycles, they tell you up front. But you get a reward in return. Possibly the raw data results, or free access to graphical displays that non-participants would be charged for.

Suppose that scenario, you just humanly forgot. How would they update their displays? They'd have to hit you, your site on a frequency based on their schedule of updates. This could be via ping, which is small, and sometimes not responded to, or via a fixed sized file, of little importance, to better guage networking behavior. The participating sites would also be relatively constant, and behave on a schedule.

This is very much like your description, and as such is very supportive of a first guess. For the collector part.

But where they are honorable, professional, it also seems likely that were you forgetful, there would be other activities that would serve as reminders. An eMail, probably an initial one to verify you as customer, and firm up 'agreement' (possibly with ad to purchase improved interface). Probably other eMails, for a mailing list of participants, of current status and summaries,, possibly daily.

But you are unaware.

Still, suppose you have competitor, or jokester, that signed you up. Maybe they get the eMails (or a dead letter drop box). So that would leave the 'collector' of info still possibly honorable.

Getting hit with 50 at a time, times 1 MB (over?) is maybe 500 Mb, on a 10 Mb eNet takes about 90 sec.  Real numbers require real equipment. But it fits the scenario, of pushing, pumping bits about at bearable speeds for a minute or so, saturating, to reach conclusions about networking, then backing off to let it all settle down again for the other productive work. Until the next schedule, hourly or what have you. As a server, you should have a good rate. Sites like RR or AOL would not be so good on sending files, but are typically expected to be near as good in receiving files.

So it all fits, that it is note denying service, it is about guaging service.

Still, I suspect that an honorable, professional site doing this would have found ways to be more memorable to you. Possibly requiring a physical company letterhead that matches the database for your address.

But haste of dot.com's looking for glory, hiring less experienced staff who claim 'whiz-bang', some shortcuts could have been done, leaving you more out-of-the-loop than either necessary or intended.

For more proper discussion, we should probably sample some such sites, but I can't think of any off-hand, at the moment. But offering up an alternative you may not have thought of, and which may in fact, stir up a recollection of something you'd done and forgotten about.
0
 
LVL 24

Accepted Solution

by:
SunBow earned 150 total points
ID: 6863206
> Can anyone figure out how 50+ servers from around the world can all decide to download

Ans: done. I think the above covers that one
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6863270
Unfortunately, viruses and worms and zombies and DOS and ware(z) are so commonly newsie, that script kiddies and loneliheart coders find their way to clubs, sharing information of the worst kind (on networking of others). When handful Israeli's were recently arrested, they used words like: it was a game, a competition, among (anonymous) club members. They can share or pool their information on vulnerabilities, known zombies, how to make things work better, like maybe they used to. The Napster problem has left many feeling hungry, for alternative.

Since these types of behaviors are also likely, it is first imperative that you shore up your defenses, you are known qty to them and their friends, by getting all available upgrades, and shutting down any services not needed.

I recommend that you do what you can to slow them down. Blocking them is good, but may attract worse attention. Finding way to slow down an xMit could help spread the word that you do not have server worthy a takeover attempt. Blocking them completely will help your throughput, but attention may lead to one member going along with escalation (up to denial of service). You have inside knowledge of file sought for. Better, IMO to make it somehow take logger to download. Possibly link to slower device, <heh> 300 baud modem.  Maybe to a different server through a link, or shortcutted to diskette. As it is unimportant file, remove it for half each day, put back other half.  Causing confusion to the collector on your throughput value.

Then, if any honor involved at all, someone may make better contact established to you, perhaps asking "what's up?"; where a non-pro would give up, preferring to deal more with sites that maintain consistencies.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6863308
<phew>
Do let me know how it turns out.
If IPs you recorded are bona fide.. well, a random paste of a few into web browsers (http) yields a couple different responses, but no defaulted web server. Under 'friendly' scenario above, one would expect all participants to be sending back and forth to guage throughput, for their web oriented interests (inc ftp). Were that the case, one would expect a form of uncloaked web presense. Not found (easily). Likely they would be sending also to you, a sort of load balancing inside of the 'test' of internetting robustness.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6863348
http://www.internettrafficreport.com/cgi-bin/tr_chartpage.pl?NorthAmerica#graphs

(found one!)
Lest I overly confuse anyone on my meanings re:traffic reports, that can have value to some, complete with colors and graph I present above. A quick look tells me this website requires any 'participant' to be 'router' not 'server'. For those who cannot see, at moment, it looks like Quebec is ahead of Chicago to these tired eyes.
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question