We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

IIS atack every dayRSS

31 replies

Last post Mar 28, 2007 10:40 PM by steve schofield

  • IIS atack every day

    Feb 08, 2007 01:56 PM|Natxo|LINK

    Hi and thanks for your help and sorry for my english.

    I am having a problem every day of week (not saturdays and sundays) at same hour, 15:30. At this hour SQL conections gorws from 7-8 to 50 and web server anonimous connectios grows from 20-30 to 150-200 in few seconds.

    When this occurs i reset the server and it works ok to the next day at same hour.

    I think that is a atack or something like that. I think someone does the atack in his office because de saturdays and sundays i have not the attack.

    What can i do to detect what is happening really? If is an attack, how can i know who is?

    Thanks.

    Natxo.

    atack iis connections sql web anonimous

  • Re: IIS atack every day

    Feb 08, 2007 07:30 PM|thomad|LINK

    Natxo,

    Did you have a look in your logfiles? The IP address of the client will be in there. You can use logparser to do the DNS lookup of the TOP IP addresses.

    The following example gets the TOP20 IP addresses and saves it in OUT.CSV. The second query does the Reverse DNS lookup:

    logparser -i:W3C "SELECT TOP 20 c-ip, count(*) AS ipcount INTO OUT.CSV FROM %windir%\system32\logfiles\w3svc1\*.log GROUP BY c-ip ORDER BY ipcount DESC" -o:csv

    logparser "SELECT REVERSEDNS(c-ip) FROM OUT.CSV" -rtp:-1

    Hope this helps.

     

    Thomas Deml
    Group Program Manager
    Internet Information Services
    Microsoft Corp.
  • Re: IIS atack every day

    Feb 08, 2007 07:39 PM|tomkmvp|LINK

    Could be some type of indexing robot or spider that is scheduled to hit the site at the same time every day.  As Thomas D said, check your logs ...
  • Re: IIS atack every day

    Feb 09, 2007 05:07 AM|Natxo|LINK

    Thanks Thomad.

    I execute logparser with your commandas using log files of 1, 2, 5,6,7 and 8 of february. There is not a one ip in the first place every day... Because i reset the server is posible that i do not let time to log the ip many times to grow to top 20 ip count. 

    http://www.sasua.net/top20ip.zip

    Here is a graphic to see how grows anonimous users in web server and connections in sql.

    http://www.sasua.net/graficoIIS.jpg

    How can i change the select to view ips betwen 2 hours? for example from 15:25 to 15:35? to see the top ips when the atack occurs...

    Thanks.

  • Re: IIS atack every day

    Feb 09, 2007 06:30 AM|Natxo|LINK

    Hi

    I add to sql :

    WHERE TO_TIMESTAMP(date, time) >= TO_TIMESTAMP('2007-02-06 15:29:00', 'yyyy-MM-dd hh:mm:ss') AND TO_TIMESTAMP(date, time) <= TO_TIMESTAMP('2007-02-06 15:32:00', 'yyyy-MM-dd hh:mm:ss')

    but i do not see one ip more than others every day...

    Thanks

  • Re: IIS atack every day

    Feb 09, 2007 07:10 AM|qbernard|LINK

    What do you mean? not same IP?

    From the log file, you should be identify where those request coming from.

     

    Cheers,
    Bernard Cheah
  • Re: IIS atack every day

    Feb 09, 2007 09:20 AM|tomkmvp|LINK

    Doesn't make sense, from the level of activitiy you're reporting you should be able to see something.
  • Re: IIS atack every day

    Feb 09, 2007 01:30 PM|Natxo|LINK

    Hi.

    Todays "attack" at 15:08 - 15:10 ip counts:

    http://www.sasua.net/out9.zip

    Graphic Screens:

    http://www.sasua.net/grafico9feb1.jpg at 15:08:41

    http://www.sasua.net/grafico9feb2.jpg at 15:09:44

    I see the first ip but i think is not significant.

    How can i change sql command to view what asp pages are viewed? one asp page can do this? I do not know what can i do now. I do not know the next step to discover what is appening...

    Thanks for you help.

    Natxo.

     

  • Re: IIS atack every day

    Feb 09, 2007 02:03 PM|tomkmvp|LINK

    Not sure what you expect us to tell with the csv file in the zip.  The seciton of the actual IIS log file would be more helpful.
  • Re: IIS atack every day

    Feb 09, 2007 09:57 PM|thomad|LINK

    Why don't you try the following:

    Maybe some requests just take much longer and therefore they accumulate. Here is a logparser query that lists all requests that take longer than 10 seconds. Note that you have to add the time-taken field to the log fields that get logged. IIS doesn't add this field by default.

    logparser "SELECT TOP 10 cs-uri-stem, COUNT(*) FROM *.log
    WHERE time-taken > 10000 GROUP BY cs-uri-stem ORDER BY COUNT(*) DESC" –i:IISW3C

    Another idea is to run your query only against your asp pages. Here is an example how to restrict the query to only asp pages:

    logparser -i:IISW3C "SELECT TOP 20 cs-uri-stem, count(*) AS uricount FROM *.log WHERE EXTRACT_TOKEN (cs-uri-stem, -1, '.' ) = 'asp' GROUP BY cs-uri-stem ORDER BY uricount DESC"

    Hope this helps.

    Thomas Deml
    Group Program Manager
    Internet Information Services
    Microsoft Corp.
  • Re: IIS atack every day

    Feb 10, 2007 05:32 AM|Natxo|LINK

    Hi.

    I add time-taken field, in monday i will have a log file with this field. Should I add any other field to log files?

    I execute de logparser who shows me the asp pages, but i do not see anythink anormal.

    Here you have the log file of day 9 from 15:08 to 15:09

    http://www.sasua.net/ex070209_1508_1509.zip less than 50 KB.

    Thanks for your time and help.

    Natxo.

    Thanks

  • Re: IIS atack every day

    Feb 10, 2007 12:59 PM|tomkmvp|LINK

    I don't see a high number of requests coming from any one IP.  I did notice that you are allowing some SQL to be passed in the query string though - that could be dangerous.

    Is it possible that you have some inefficient ASP database code that's causing your server to hang?

  • Re: IIS atack every day

    Feb 11, 2007 01:29 PM|Natxo|LINK

    It is possible a ineficient asp database code... but the strange think is that only executes one time in a day an in the same hour,... tomorrow monday I hope to see using time-taken field if one page takes a lot of time,...

    Thanks.

  • Re: IIS atack every day

    Feb 12, 2007 01:27 PM|Natxo|LINK

    Today 2 attacks, but in log files the time-taken value is not ussefull because when "attack" occurs the time to response increases for all asp pages, is not only one page, because in the attack the server not send asp pages because is satured or busy ...

    What can i do?

    Thanks.

     

  • Re: IIS atack every day

    Feb 12, 2007 02:07 PM|tomkmvp|LINK

    Please post the log entries for the period.
  • Re: IIS atack every day

    Feb 13, 2007 04:24 AM|qbernard|LINK

    Can you post the complete IIS log file? then specify the time range is the attack?

    Cheers,
    Bernard Cheah
  • Re: IIS atack every day

    Feb 13, 2007 06:14 AM|Natxo|LINK

    Hi.

    Here is the log file of monday 12 with time-taken field.

    http://www.sasua.net/ex070212.rar 20MB

    I have execute:

    logparser -i:IISW3C "SELECT date,time,c-ip,cs-uri-stem,cs-uri-query,time-taken INTO OUT12.CSV FROM ex070212.log where time-taken>30000"

    and i see many "Terminó_el_tiempo_de_espera" - "wait time out" of SQL SERVER begining at 15:20:20

    The graphic where i see the grow of anonimous users and sql connections begins at 15:36, not the same that log file... The reset of server you can see at 15:46:30 Also i see that in other hours also occurs saturations, at 18:37.

     I have in the server another site with other logs:

    http://www.sasua.net/adm_ex070212.rar 50KB

    In this site they use MS ACCESS and it could have some asp page that takes the server resources... My new question is: can I isolate this site? I have IIS 6. Can i isolate using iis 6 or I must to change to IIS 5.0 isolation system?

    Thanks.

  • Re: IIS atack every day

    Feb 13, 2007 06:16 AM|Natxo|LINK

    Here is the graphic:

    http://www.sasua.net/grafico12feb.jpg

    Thanks.

  • Re: IIS atack every day

    Feb 13, 2007 08:14 AM|tomkmvp|LINK

    Natxo

    In this site they use MS ACCESS and it could have some asp page that takes the server resources... My new question is: can I isolate this site? I have IIS 6. Can i isolate using iis 6 or I must to change to IIS 5.0 isolation system?
    Yes - that's a great feature of IIS 6.  You can create a new app pool just for that site to isolate it.
  • Re: IIS atack every day

    Mar 01, 2007 04:40 AM|Natxo|LINK

    They are not more "attacks" in 2 weeks. I do not know why,...but i have learn a lot with your help.

     Thanks!

     Natxo.

  • Re: IIS atack every day

    Mar 01, 2007 04:17 PM|tomkmvp|LINK

    Fabulous!  We're here if you need us again.

  • Re: IIS atack every day

    Mar 07, 2007 12:19 PM|Natxo|LINK

    The "attack" is back.

    If i reset the server when is the problem, could be a asp page not be registered in log file because it spends a lot of time? A asp page records in log files when it ends?

    Thanks.

     Natxo.

     

  • Re: IIS atack every day

    Mar 07, 2007 12:37 PM|tomkmvp|LINK

    Have you tried putting this site into its own app pool?
  • Re: IIS atack every day

    Mar 08, 2007 05:19 AM|Natxo|LINK

    I have a lot of domains to one ip. All the domains goes to one asp page and then i do redirections, because all uses the same pages and sql database with diferent request values and parameters. But the app pool works using the url?

    I add a new app pool to the domain with more visits.

    I will see what happend today and tell you.

    Thanks.

    Natxo.

     

  • Re: IIS atack every day

    Mar 08, 2007 08:13 AM|tomkmvp|LINK

    Back on Feb 13 you said ...

    Natxo

    In this site they use MS ACCESS and it could have some asp page that takes the server resources... My new question is: can I isolate this site? I have IIS 6. Can i isolate using iis 6 or I must to change to IIS 5.0 isolation system?
    Has that changed now?

  • Re: IIS atack every day

    Mar 08, 2007 09:55 AM|Natxo|LINK

    The site who uses Access is isolated. In graphics i not see that this site have problems,... The anonimous users in this site is 0 when occurs the attack.

    The attack is something, that increases SQL Server connections, but not SLQ SERVER transactions/sec, increases actual anonimous users in web service but not increases web service actual connections.

    But i do not know how detect what is it,... :(

    Thanks.

    Natxo.

     

  • Re: IIS atack every day

    Mar 09, 2007 02:30 AM|steve schofield|LINK

    If I understand your reply, the attack comes on port 80 (HTTP) type requests.  If that is the case and you have logging enabled.  You'll have a record of the request in the logs.  This appears to be someone running a robot scanning your network.  If you accept all requests for an ip address, these types of attacks are common.  One way to minimize robot type attacks is to use host-headers exclusively.

    http://support.microsoft.com/kb/190008

    http://support.microsoft.com/kb/313437

    List of all fields available to be logged.

    http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/676400bc-8969-4aa7-851a-9319490a9bbb.mspx?mfr=true

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Re: IIS atack every day

    Mar 23, 2007 06:35 AM|Natxo|LINK

    Hi. 

    I put in the server a robots.txt file to stop all robots access to the pages and the attack is not back. I think that now the problem is resolved.

    I do not understand so much your solution Steve, so, i decided to stop all robots.

    Thanks to all !

    Natxo.

  • Re: IIS atack every day

    Mar 23, 2007 07:24 AM|steve schofield|LINK

    The robots.txt file is another way to stop 'bots' from indexing your site.  Search engines mostly use these.  Thanks for posting your solution. 

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Re: IIS atack every day

    Mar 23, 2007 07:54 AM|tomkmvp|LINK

    Search engines like Google use an automated program to browse, crawl, and index web sites on a peridoic basis.  Well behaved scanners or "bots" know to look for the robots.txt file to know if they are allowed to scan your site.
  • Re: IIS atack every day

    Mar 27, 2007 11:29 AM|Natxo|LINK

    The "attack" is back. It is not the robots,... I will try to obtain logs from sql server to view if i find something,...

    Natxo.

  • Re: IIS atack every day

    Mar 28, 2007 10:40 PM|steve schofield|LINK

    If this is SQL Server related, you can block port 1433 at your firewall.

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget