Posted on 2003-11-13
Medium Priority
Last Modified: 2012-05-04
For a couple of months now, my network has been the target of a DDoS attack attempting to exploit the WebDav vulnerability of IIS5. Now... I've LONG since patched this issue, but the problem I'm having now is that this continuous traffic is poisoning my log files with useless traffic. WebTrends currently doesn't seem to have any way to ignore HTTP SEARCH commands, so I was wondering if anybody knew how to block these commands from even making it to my log files?

Security-wise, I have a Cisco 2610 Router with the 12.2(7b) IP-FW software, my firewall is a GnatBox Flash v3.4.1 (www.gta.com) and I'm using IIS5 under Windows 2000 with all current security patches.
Question by:CCongdon
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
LVL 49

Expert Comment

ID: 9740168
LVL 49

Expert Comment

ID: 9740183

Check this


Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

LVL 49

Expert Comment

ID: 9740188

Author Comment

ID: 9740861

Thanks for the info links. However they're not really waht I was looking for.

Spyware: All of our workstations have Spybot S&D on them. NOBODY runs unauthorized apps on the servers (And since there's only 4 of us here and 2 of those don't normally go into the server room, that's easy to keep tabs on.)

Firewall: I personally believe the GnatBox series of firewalls is a good solid product. It is an ICSA-certified firewall that I have been using for many years now and am quite happpy with. The main problem of the DDoS we're seeing is that it's coming through Port 80, which we obviously can't block since we have to serve pages.

Cisco &  JMU links: Good info to have on hand. Although the JMU stuff seems to be more in line in dealing with keeping your systems from being infected and initiating the DoS attacks.


Expert Comment

ID: 9781095
install this if you haven't already:

also look into secureiis if you got the money. it's kinda like urlscan but with alot more options and filters - http://www.eeye.com/html/Products/SecureIIS/

for a quick fix, what you can do is use urlscan to block the webdav exploit url. this will make it so that the url request doesn't reach iis, thus it will never be logged in the iis log files and consume space. however, i think it may be logged in urlscan log files but i think there is a way to prevent that too.
well either way. i don't know the specific url you should be blocking, but that's the theory anyways. use urlscans url filter to block the request so it never comes to iis.

Author Comment

ID: 9781143
Thanks for the info...however... This isn't quite what I asked. Of course, I'm used to this by now. Every time I've asked this question, I get people telling me what's hitting me and how to make sure my server isn't affected by it... My true question is... How do I make HTTP SEARCH commands not appear in my log files. The extra traffic seen be webtrends is poisoning my logs and making it appear that I'm getting more traffic than I should be. Or even, is there a way to make sure that an HTTP SEARCH command never gets to IIS. Even if you IISLockdown, the SEARCH command still gets to the server, it's just that the server ignores it.

Accepted Solution

nonsence earned 1500 total points
ID: 9783030
but that's what i'm trying to say. using either secureiis or urlscan you can block http search commands.
i think what you gotta do is go to the [DenyVerbs] section of the urlscan.ini file. and then add SEARCH to under it. and under [AllowVerbs] delete SEARCH so it's not allowed.
here's an article about how to configure urlscan - http://www.iisfaq.com/default.aspx?View=A384&P=134

now this only works if urlscan is the first filter that picks up client requests. otherwise webtrends will pick it up anyways and it will still be logged by webtrends but at least not by iis, and that's still not good.

i'm not sure your cisco router or gnatbox flash firewall have specific http proxy features or filters.

is webtrends and iis all on one server or are they two different computers?
LVL 23

Expert Comment

by:Tim Holman
ID: 10976434
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Accept: nonsence

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question