HTTP SEARCH DoS Attack

For a couple of months now, my network has been the target of a DDoS attack attempting to exploit the WebDav vulnerability of IIS5. Now... I've LONG since patched this issue, but the problem I'm having now is that this continuous traffic is poisoning my log files with useless traffic. WebTrends currently doesn't seem to have any way to ignore HTTP SEARCH commands, so I was wondering if anybody knew how to block these commands from even making it to my log files?

Security-wise, I have a Cisco 2610 Router with the 12.2(7b) IP-FW software, my firewall is a GnatBox Flash v3.4.1 (www.gta.com) and I'm using IIS5 under Windows 2000 with all current security patches.
LVL 9
CCongdonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunray_2003Commented:
0
sunray_2003Commented:
CCongdon,

Check this

http://www.cisco.com/warp/public/707/newsflash.html

Thanks,
Sunray
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

CCongdonAuthor Commented:
Sunray:

Thanks for the info links. However they're not really waht I was looking for.

Spyware: All of our workstations have Spybot S&D on them. NOBODY runs unauthorized apps on the servers (And since there's only 4 of us here and 2 of those don't normally go into the server room, that's easy to keep tabs on.)

Firewall: I personally believe the GnatBox series of firewalls is a good solid product. It is an ICSA-certified firewall that I have been using for many years now and am quite happpy with. The main problem of the DDoS we're seeing is that it's coming through Port 80, which we obviously can't block since we have to serve pages.

Cisco &  JMU links: Good info to have on hand. Although the JMU stuff seems to be more in line in dealing with keeping your systems from being infected and initiating the DoS attacks.

0
nonsenceCommented:
install this if you haven't already:
http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asp

also look into secureiis if you got the money. it's kinda like urlscan but with alot more options and filters - http://www.eeye.com/html/Products/SecureIIS/

for a quick fix, what you can do is use urlscan to block the webdav exploit url. this will make it so that the url request doesn't reach iis, thus it will never be logged in the iis log files and consume space. however, i think it may be logged in urlscan log files but i think there is a way to prevent that too.
well either way. i don't know the specific url you should be blocking, but that's the theory anyways. use urlscans url filter to block the request so it never comes to iis.
0
CCongdonAuthor Commented:
Thanks for the info...however... This isn't quite what I asked. Of course, I'm used to this by now. Every time I've asked this question, I get people telling me what's hitting me and how to make sure my server isn't affected by it... My true question is... How do I make HTTP SEARCH commands not appear in my log files. The extra traffic seen be webtrends is poisoning my logs and making it appear that I'm getting more traffic than I should be. Or even, is there a way to make sure that an HTTP SEARCH command never gets to IIS. Even if you IISLockdown, the SEARCH command still gets to the server, it's just that the server ignores it.
0
nonsenceCommented:
but that's what i'm trying to say. using either secureiis or urlscan you can block http search commands.
i think what you gotta do is go to the [DenyVerbs] section of the urlscan.ini file. and then add SEARCH to under it. and under [AllowVerbs] delete SEARCH so it's not allowed.
here's an article about how to configure urlscan - http://www.iisfaq.com/default.aspx?View=A384&P=134

now this only works if urlscan is the first filter that picks up client requests. otherwise webtrends will pick it up anyways and it will still be logged by webtrends but at least not by iis, and that's still not good.

i'm not sure your cisco router or gnatbox flash firewall have specific http proxy features or filters.

is webtrends and iis all on one server or are they two different computers?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tim HolmanCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Accept: nonsence

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

tim_holman
EE Cleanup Volunteer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.