Solved

HTTP SEARCH DoS Attack

Posted on 2003-11-13
10
279 Views
Last Modified: 2012-05-04
For a couple of months now, my network has been the target of a DDoS attack attempting to exploit the WebDav vulnerability of IIS5. Now... I've LONG since patched this issue, but the problem I'm having now is that this continuous traffic is poisoning my log files with useless traffic. WebTrends currently doesn't seem to have any way to ignore HTTP SEARCH commands, so I was wondering if anybody knew how to block these commands from even making it to my log files?

Security-wise, I have a Cisco 2610 Router with the 12.2(7b) IP-FW software, my firewall is a GnatBox Flash v3.4.1 (www.gta.com) and I'm using IIS5 under Windows 2000 with all current security patches.
0
Comment
Question by:CCongdon
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9740154
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9740168
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9740183
CCongdon,

Check this

http://www.cisco.com/warp/public/707/newsflash.html

Thanks,
Sunray
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9740188
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 9

Author Comment

by:CCongdon
ID: 9740861
Sunray:

Thanks for the info links. However they're not really waht I was looking for.

Spyware: All of our workstations have Spybot S&D on them. NOBODY runs unauthorized apps on the servers (And since there's only 4 of us here and 2 of those don't normally go into the server room, that's easy to keep tabs on.)

Firewall: I personally believe the GnatBox series of firewalls is a good solid product. It is an ICSA-certified firewall that I have been using for many years now and am quite happpy with. The main problem of the DDoS we're seeing is that it's coming through Port 80, which we obviously can't block since we have to serve pages.

Cisco &  JMU links: Good info to have on hand. Although the JMU stuff seems to be more in line in dealing with keeping your systems from being infected and initiating the DoS attacks.

0
 
LVL 3

Expert Comment

by:nonsence
ID: 9781095
install this if you haven't already:
http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asp

also look into secureiis if you got the money. it's kinda like urlscan but with alot more options and filters - http://www.eeye.com/html/Products/SecureIIS/

for a quick fix, what you can do is use urlscan to block the webdav exploit url. this will make it so that the url request doesn't reach iis, thus it will never be logged in the iis log files and consume space. however, i think it may be logged in urlscan log files but i think there is a way to prevent that too.
well either way. i don't know the specific url you should be blocking, but that's the theory anyways. use urlscans url filter to block the request so it never comes to iis.
0
 
LVL 9

Author Comment

by:CCongdon
ID: 9781143
Thanks for the info...however... This isn't quite what I asked. Of course, I'm used to this by now. Every time I've asked this question, I get people telling me what's hitting me and how to make sure my server isn't affected by it... My true question is... How do I make HTTP SEARCH commands not appear in my log files. The extra traffic seen be webtrends is poisoning my logs and making it appear that I'm getting more traffic than I should be. Or even, is there a way to make sure that an HTTP SEARCH command never gets to IIS. Even if you IISLockdown, the SEARCH command still gets to the server, it's just that the server ignores it.
0
 
LVL 3

Accepted Solution

by:
nonsence earned 500 total points
ID: 9783030
but that's what i'm trying to say. using either secureiis or urlscan you can block http search commands.
i think what you gotta do is go to the [DenyVerbs] section of the urlscan.ini file. and then add SEARCH to under it. and under [AllowVerbs] delete SEARCH so it's not allowed.
here's an article about how to configure urlscan - http://www.iisfaq.com/default.aspx?View=A384&P=134

now this only works if urlscan is the first filter that picks up client requests. otherwise webtrends will pick it up anyways and it will still be logged by webtrends but at least not by iis, and that's still not good.

i'm not sure your cisco router or gnatbox flash firewall have specific http proxy features or filters.

is webtrends and iis all on one server or are they two different computers?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10976434
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Accept: nonsence

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

tim_holman
EE Cleanup Volunteer
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now