Solved

IIS web log: Downloading files = Denial of Service?

Posted on 2002-03-07
10
239 Views
Last Modified: 2010-04-11
I've recently been going through my IIS 5 web log files.  I have a Windows 2000 dedicated server, which is primarily a shareware download server (I am a shareware author).  I've noticed that one of my least popular programs happens to be the target of a HUGE, VERY HUGE downloading binge.  In fact, the tremendous number of downloads of this very unpopular program appears to be a denial of service attack.  This unpopular program is over 1mb in size, and within a 90 second interval, this unpopular program is getting "hit" (downloaded) 50+ times!  And when I reverse lookup the IP addresses that are downloading this file, I see that the majority of them can be traced from outside the USA.  Mostly from England and Europe.   Can anyone figure out how 50+ servers from around the world can all decide to download my least popular program all within a 2 minute period?  And as I review my web logs, this type of "blizzard of downloads" keeps reoccurring several times each day, but always the same filename is being downloaded, and always within a 2 minute window.

You can see a snippet of the Web log in question at: http://64.26.9.66/temp/attack.htm   (I have changed my real IP address with 1.2.3.4 in the online sample.

Any idea how this could be occuring, and what I can do to stop this?

There are two other EXEs (downloadable shareware programs) that are also being "hit" in a similar 2 minute barrage of downloads that I can see in the LOG files.  It's as if there are zombie machines out there, hardcoded with attack software specifically trying to target my website, and all set to "go off" (attack) in sync.
0
Comment
Question by:Kapusta
  • 9
10 Comments
 

Author Comment

by:Kapusta
Comment Utility
Note: If you visit the URL above ( http://64.26.9.66/temp/attack.htm) ...please note that I replaced my actual domain name with the bogus
"my-domain.com" for privacy reasons.
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
Think of HP's OpenView and how it was so nice and easy and free. There's first guess. I'll be back to read more, could prove interesting.
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
(some,,per Sam Spade:)
Trying whois -h whois.arin.net 65.33.10.170
Road Runner-Southeast (NETBLK-ROADRUNNER-SOUTHEAST)
   13241 Woodland Park Road
   Herndon, VA 20171
   US
   Netname: ROADRUNNER-SOUTHEAST
   Netblock: 65.32.0.0 - 65.34.31.255
   Maintainer: RRSE
   Coordinator:
      ServiceCo LLC  (ZS30-ARIN)  abuse@rr.com
Trying whois -h whois.arin.net 205.144.226.29
Mississippi Department of Transportation (NETBLK-MSDOT)
   301 North Lamar St.
   301 Building, Suite 508
   Jackson, MS 39201
   US
   Netname: MSDOT
   Netblock: 205.144.224.0 - 205.144.239.255
   Coordinator:
      Martin, John  (JM82-ARIN)  martin@MARTIN.ITS.STATE.MS.US
Trying whois -h whois.arin.net 24.168.48.24
ServiceCo LLC - Road Runner (NET-ROAD-RUNNER-5)
   13241 Woodland Park Road
   Herndon, VA 20171
   US
   Netname: ROAD-RUNNER-5
   Netblock: 24.160.0.0 - 24.170.127.255
   Maintainer: SCRR
   Coordinator:
      ServiceCo LLC  (ZS30-ARIN)  abuse@rr.com
      1-703-345-3416
Trying whois -h whois.arin.net 38.139.36.109
Performance Systems International (NET-PSINETA)
   510 Huntmar Park Drive
          Herndon, VA  22070
   US
   Netname: PSINETA
   Netblock: 38.0.0.0 - 38.255.255.255
   Maintainer: PSI
   Coordinator:
      PSINet, Inc.  (PSI-NISC-ARIN)  hostinfo@PSI.COM
Trying whois -h whois.arin.net 63.25.249.86
UUNET Technologies, Inc. (NETBLK-NETBLK-UUNET97DU)
   3060 Williams Drive, Suite 601
   Fairfax, va 22031
   US
   Netname: NETBLK-UUNET97DU
   Netblock: 63.0.0.0 - 63.63.255.255
   Maintainer: UUDA
   Coordinator:
      UUNET, Technical Support  (OA12-ARIN)  help@uu.net
Trying whois -h whois.arin.net 172.165.109.205
America Online, Inc. (NETBLK-AOL-172BLK)
   12100 Sunrise Valley Drive
   Reston, VA 20191
   US
   Netname: AOL-172BLK
   Netblock: 172.128.0.0 - 172.191.255.255
   Maintainer: AOL
   Coordinator:
      America Online, Inc.  (AOL-NOC-ARIN)  domains@AOL.NET
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
<heh> Hadn't noticed before, cute eMail ID for coordinator... kinda says something, huh?:

                          abuse@rr.com
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
One should not be too hasty about jumping to conclusion. But while I am no real expert on all the details, I do lean towards agreeing with your choice of labels attack.htm, changing of your personal info (address etc), as if there are zombie machines out there, getting "hit"; but not (yet) with: blizzard, binge, denial of service. If you can:

> I see that the majority of them can be traced

then I suggest you get onto some of the websites that run checks against your machine to provide simple security validations, and recheck your being up-to-date with latest upgrades for ALL services on your box(es) on the network.

But first let us be kind to the whomsoever
  -(more)-
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 24

Expert Comment

by:SunBow
Comment Utility
OpenView, you may recall, had initially dealt with making connectivity a visual experience on the cheap.

Nowadays there are several web based initiatives to try to provide graphic display of how well packets are flowing around the world. So let us first explore possibility there was honorable intention in accessing your site. And as humans, we make mistake. Possibly, you hit on such a site and inadvertently offered yours as a willing participant in the global effort for such analysis.

Often, such sites do honorable opt-in choice. Meaning you knowingly volunteer. You lose some cycles, they tell you up front. But you get a reward in return. Possibly the raw data results, or free access to graphical displays that non-participants would be charged for.

Suppose that scenario, you just humanly forgot. How would they update their displays? They'd have to hit you, your site on a frequency based on their schedule of updates. This could be via ping, which is small, and sometimes not responded to, or via a fixed sized file, of little importance, to better guage networking behavior. The participating sites would also be relatively constant, and behave on a schedule.

This is very much like your description, and as such is very supportive of a first guess. For the collector part.

But where they are honorable, professional, it also seems likely that were you forgetful, there would be other activities that would serve as reminders. An eMail, probably an initial one to verify you as customer, and firm up 'agreement' (possibly with ad to purchase improved interface). Probably other eMails, for a mailing list of participants, of current status and summaries,, possibly daily.

But you are unaware.

Still, suppose you have competitor, or jokester, that signed you up. Maybe they get the eMails (or a dead letter drop box). So that would leave the 'collector' of info still possibly honorable.

Getting hit with 50 at a time, times 1 MB (over?) is maybe 500 Mb, on a 10 Mb eNet takes about 90 sec.  Real numbers require real equipment. But it fits the scenario, of pushing, pumping bits about at bearable speeds for a minute or so, saturating, to reach conclusions about networking, then backing off to let it all settle down again for the other productive work. Until the next schedule, hourly or what have you. As a server, you should have a good rate. Sites like RR or AOL would not be so good on sending files, but are typically expected to be near as good in receiving files.

So it all fits, that it is note denying service, it is about guaging service.

Still, I suspect that an honorable, professional site doing this would have found ways to be more memorable to you. Possibly requiring a physical company letterhead that matches the database for your address.

But haste of dot.com's looking for glory, hiring less experienced staff who claim 'whiz-bang', some shortcuts could have been done, leaving you more out-of-the-loop than either necessary or intended.

For more proper discussion, we should probably sample some such sites, but I can't think of any off-hand, at the moment. But offering up an alternative you may not have thought of, and which may in fact, stir up a recollection of something you'd done and forgotten about.
0
 
LVL 24

Accepted Solution

by:
SunBow earned 150 total points
Comment Utility
> Can anyone figure out how 50+ servers from around the world can all decide to download

Ans: done. I think the above covers that one
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
Unfortunately, viruses and worms and zombies and DOS and ware(z) are so commonly newsie, that script kiddies and loneliheart coders find their way to clubs, sharing information of the worst kind (on networking of others). When handful Israeli's were recently arrested, they used words like: it was a game, a competition, among (anonymous) club members. They can share or pool their information on vulnerabilities, known zombies, how to make things work better, like maybe they used to. The Napster problem has left many feeling hungry, for alternative.

Since these types of behaviors are also likely, it is first imperative that you shore up your defenses, you are known qty to them and their friends, by getting all available upgrades, and shutting down any services not needed.

I recommend that you do what you can to slow them down. Blocking them is good, but may attract worse attention. Finding way to slow down an xMit could help spread the word that you do not have server worthy a takeover attempt. Blocking them completely will help your throughput, but attention may lead to one member going along with escalation (up to denial of service). You have inside knowledge of file sought for. Better, IMO to make it somehow take logger to download. Possibly link to slower device, <heh> 300 baud modem.  Maybe to a different server through a link, or shortcutted to diskette. As it is unimportant file, remove it for half each day, put back other half.  Causing confusion to the collector on your throughput value.

Then, if any honor involved at all, someone may make better contact established to you, perhaps asking "what's up?"; where a non-pro would give up, preferring to deal more with sites that maintain consistencies.
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
<phew>
Do let me know how it turns out.
If IPs you recorded are bona fide.. well, a random paste of a few into web browsers (http) yields a couple different responses, but no defaulted web server. Under 'friendly' scenario above, one would expect all participants to be sending back and forth to guage throughput, for their web oriented interests (inc ftp). Were that the case, one would expect a form of uncloaked web presense. Not found (easily). Likely they would be sending also to you, a sort of load balancing inside of the 'test' of internetting robustness.
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
http://www.internettrafficreport.com/cgi-bin/tr_chartpage.pl?NorthAmerica#graphs

(found one!)
Lest I overly confuse anyone on my meanings re:traffic reports, that can have value to some, complete with colors and graph I present above. A quick look tells me this website requires any 'participant' to be 'router' not 'server'. For those who cannot see, at moment, it looks like Quebec is ahead of Chicago to these tired eyes.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now