IIS 5 & IIS 6
Hack / Site Slowdown / Dos Attack Yesterday ~ please help!
Last post Jun 09, 2008 02:59 PM by rfwilliams777
May 29, 2008 04:21 PM|adarwich|LINK
We experienced a DoS attack yesterday (not the first time), where one of our sites was attacked, causing sqlserver to run at 100% CPU and bring down the server. Today, CPU Performance has been hovering around 10-30% on average, with peaks (every couple minutes)
to 100% or so, and then back to normal. Network Utilization is around 15-25%.
The sites however are up and down, down about 75% of the time. The only error message received is that the server might be busy (but it actually isn't). I've recycled pools, restarted IIS, stopped certain sites, checked logs, Event Log, but have found nothing
Can anyone provide some tips, guidance, or assistance of any kind with this? Any help would be greatly appreciated.
May 29, 2008 10:47 PM|steve schofield|LINK
Few tips I can think of.
1) If possible, block IP's that are causing the DoS. You can use log parser to get a list of IP addresses. Download log parser and run this query, it give you the top 25 client ip requests from a site.
logparser.exe -i:iisw3c "select top 25 count(*) as HitCount, c-ip from <example.com> group by c-ip order by HitCount DESC" -o:csv
2) Investigate using some form of IDS (intrusion detection system) / IPS (intrusion protection system). These types of attacks can be reduced at the network layer.
3) What type of attacks, is it a sql injection type of HTTP attack? Look at your IIS Logs
4) Make sure your server is up-to-date on service packs / security patches.
5) Rename your Administrator account to something unique, create a dummy Administrator account.
6) Only expose necessary ports.
7) Consider using host-headers and not accepting IP-based requests. This is a nice way to lockdown requests from bots.
8) Run profiler on sql server when it is running at higher utilization to capture in-efficient queries or other code.
Windows Server MVP - IIS
Log archival solution
Install, Configure, Forget
Jun 09, 2008 02:59 PM|rfwilliams777|LINK
I couldn't have said it any better.