Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win



Posted on 2003-11-13
Medium Priority
Last Modified: 2012-05-04
For a couple of months now, my network has been the target of a DDoS attack attempting to exploit the WebDav vulnerability of IIS5. Now... I've LONG since patched this issue, but the problem I'm having now is that this continuous traffic is poisoning my log files with useless traffic. WebTrends currently doesn't seem to have any way to ignore HTTP SEARCH commands, so I was wondering if anybody knew how to block these commands from even making it to my log files?

Security-wise, I have a Cisco 2610 Router with the 12.2(7b) IP-FW software, my firewall is a GnatBox Flash v3.4.1 (www.gta.com) and I'm using IIS5 under Windows 2000 with all current security patches.
Question by:CCongdon
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
LVL 49

Expert Comment

ID: 9740168
LVL 49

Expert Comment

ID: 9740183

Check this


Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

LVL 49

Expert Comment

ID: 9740188

Author Comment

ID: 9740861

Thanks for the info links. However they're not really waht I was looking for.

Spyware: All of our workstations have Spybot S&D on them. NOBODY runs unauthorized apps on the servers (And since there's only 4 of us here and 2 of those don't normally go into the server room, that's easy to keep tabs on.)

Firewall: I personally believe the GnatBox series of firewalls is a good solid product. It is an ICSA-certified firewall that I have been using for many years now and am quite happpy with. The main problem of the DDoS we're seeing is that it's coming through Port 80, which we obviously can't block since we have to serve pages.

Cisco &  JMU links: Good info to have on hand. Although the JMU stuff seems to be more in line in dealing with keeping your systems from being infected and initiating the DoS attacks.


Expert Comment

ID: 9781095
install this if you haven't already:

also look into secureiis if you got the money. it's kinda like urlscan but with alot more options and filters - http://www.eeye.com/html/Products/SecureIIS/

for a quick fix, what you can do is use urlscan to block the webdav exploit url. this will make it so that the url request doesn't reach iis, thus it will never be logged in the iis log files and consume space. however, i think it may be logged in urlscan log files but i think there is a way to prevent that too.
well either way. i don't know the specific url you should be blocking, but that's the theory anyways. use urlscans url filter to block the request so it never comes to iis.

Author Comment

ID: 9781143
Thanks for the info...however... This isn't quite what I asked. Of course, I'm used to this by now. Every time I've asked this question, I get people telling me what's hitting me and how to make sure my server isn't affected by it... My true question is... How do I make HTTP SEARCH commands not appear in my log files. The extra traffic seen be webtrends is poisoning my logs and making it appear that I'm getting more traffic than I should be. Or even, is there a way to make sure that an HTTP SEARCH command never gets to IIS. Even if you IISLockdown, the SEARCH command still gets to the server, it's just that the server ignores it.

Accepted Solution

nonsence earned 1500 total points
ID: 9783030
but that's what i'm trying to say. using either secureiis or urlscan you can block http search commands.
i think what you gotta do is go to the [DenyVerbs] section of the urlscan.ini file. and then add SEARCH to under it. and under [AllowVerbs] delete SEARCH so it's not allowed.
here's an article about how to configure urlscan - http://www.iisfaq.com/default.aspx?View=A384&P=134

now this only works if urlscan is the first filter that picks up client requests. otherwise webtrends will pick it up anyways and it will still be logged by webtrends but at least not by iis, and that's still not good.

i'm not sure your cisco router or gnatbox flash firewall have specific http proxy features or filters.

is webtrends and iis all on one server or are they two different computers?
LVL 23

Expert Comment

by:Tim Holman
ID: 10976434
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Accept: nonsence

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question