Solved

HTTP SEARCH DoS Attack

Posted on 2003-11-13
10
281 Views
Last Modified: 2012-05-04
For a couple of months now, my network has been the target of a DDoS attack attempting to exploit the WebDav vulnerability of IIS5. Now... I've LONG since patched this issue, but the problem I'm having now is that this continuous traffic is poisoning my log files with useless traffic. WebTrends currently doesn't seem to have any way to ignore HTTP SEARCH commands, so I was wondering if anybody knew how to block these commands from even making it to my log files?

Security-wise, I have a Cisco 2610 Router with the 12.2(7b) IP-FW software, my firewall is a GnatBox Flash v3.4.1 (www.gta.com) and I'm using IIS5 under Windows 2000 with all current security patches.
0
Comment
Question by:CCongdon
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9740154
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9740168
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9740183
CCongdon,

Check this

http://www.cisco.com/warp/public/707/newsflash.html

Thanks,
Sunray
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 49

Expert Comment

by:sunray_2003
ID: 9740188
0
 
LVL 9

Author Comment

by:CCongdon
ID: 9740861
Sunray:

Thanks for the info links. However they're not really waht I was looking for.

Spyware: All of our workstations have Spybot S&D on them. NOBODY runs unauthorized apps on the servers (And since there's only 4 of us here and 2 of those don't normally go into the server room, that's easy to keep tabs on.)

Firewall: I personally believe the GnatBox series of firewalls is a good solid product. It is an ICSA-certified firewall that I have been using for many years now and am quite happpy with. The main problem of the DDoS we're seeing is that it's coming through Port 80, which we obviously can't block since we have to serve pages.

Cisco &  JMU links: Good info to have on hand. Although the JMU stuff seems to be more in line in dealing with keeping your systems from being infected and initiating the DoS attacks.

0
 
LVL 3

Expert Comment

by:nonsence
ID: 9781095
install this if you haven't already:
http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asp

also look into secureiis if you got the money. it's kinda like urlscan but with alot more options and filters - http://www.eeye.com/html/Products/SecureIIS/

for a quick fix, what you can do is use urlscan to block the webdav exploit url. this will make it so that the url request doesn't reach iis, thus it will never be logged in the iis log files and consume space. however, i think it may be logged in urlscan log files but i think there is a way to prevent that too.
well either way. i don't know the specific url you should be blocking, but that's the theory anyways. use urlscans url filter to block the request so it never comes to iis.
0
 
LVL 9

Author Comment

by:CCongdon
ID: 9781143
Thanks for the info...however... This isn't quite what I asked. Of course, I'm used to this by now. Every time I've asked this question, I get people telling me what's hitting me and how to make sure my server isn't affected by it... My true question is... How do I make HTTP SEARCH commands not appear in my log files. The extra traffic seen be webtrends is poisoning my logs and making it appear that I'm getting more traffic than I should be. Or even, is there a way to make sure that an HTTP SEARCH command never gets to IIS. Even if you IISLockdown, the SEARCH command still gets to the server, it's just that the server ignores it.
0
 
LVL 3

Accepted Solution

by:
nonsence earned 500 total points
ID: 9783030
but that's what i'm trying to say. using either secureiis or urlscan you can block http search commands.
i think what you gotta do is go to the [DenyVerbs] section of the urlscan.ini file. and then add SEARCH to under it. and under [AllowVerbs] delete SEARCH so it's not allowed.
here's an article about how to configure urlscan - http://www.iisfaq.com/default.aspx?View=A384&P=134

now this only works if urlscan is the first filter that picks up client requests. otherwise webtrends will pick it up anyways and it will still be logged by webtrends but at least not by iis, and that's still not good.

i'm not sure your cisco router or gnatbox flash firewall have specific http proxy features or filters.

is webtrends and iis all on one server or are they two different computers?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10976434
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Accept: nonsence

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

tim_holman
EE Cleanup Volunteer
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
firewall rule terminology 3 42
*STABLE* and free Linux Firewall distribution 6 87
Windows Firewall - Rule created ports still not opemn 5 75
Firewall blocking images 4 56
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now