Options

Help with DoS Attack? (W2k8/IIS7)

NailbunnyPDNailbunnyPD Registered User regular
Our web server is being subject to a Denial of Service attack. This began near the end of 2010, and we thought it was addressed. The site was moved to a hosted VM server running Windows Server 2008 64-bit running IIS7. We use 2 plugins to block the attacks. The built in IPv4 Address and Domain Restrictions allows us to block ranges of IP from where the attacks are sourced. I used ARIN.net to find out the range assigned to the ISP, and if it was RIPE or Latin American or Asia Pacific Class A network it got blocked. The plugin Dynamic IP Restrictions seemed to block everything else. I also had to disable logging to prevent the HDD from filling, but aside from that, these worked great.

Until this morning. Now we are being attacked differently. The attacks are causing 503 QueueFull errors, and these are causing a surge of logs in C:\windows\system32\LogFiles\HTTPERR\ that look like this:

2011-01-26 22:24:16 83.20.9.145 28581 <our server IP> 80 HTTP/1.1 GET / 503 1 QueueFull Classic+.NET+AppPool

(The above IP is part of a blocked Class A range.)

I've gone through and checked the configuration of the plugins, and made sure they were applied at the server level and inherited by the sites. Same with the log settings. If I start the main site, the one being attacked, the site will quickly crash and these errors and logs will build up very fast.

I'm stumped as to what else I can do (aside from upgrading to even more expensive hosting account to get hardware firewall protection.) Help?

XBL: NailbunnyPD PSN: NailbunnyPD Origin: NailbunnyPD
NintendoID: Nailbunny 3DS: 3909-8796-4685
steam_sig-400.png
NailbunnyPD on

Posts

  • Options
    NailbunnyPDNailbunnyPD Registered User regular
    edited January 2011
    For now, I am using Windows Firewall to block the IP ranges. I started with my base set of foreign Class A ranges, and from there I started the site again for a few minutes so I could capture some log files. With the logs, I again put them through arin.net whois and start blocking the IP ranges that the source IP belongs to. I hate to do so, but I fear they will just DHCP another IP from the same provider. This has at least gotten our site back up and running.

    I wish there was a software firewall that I could run on the machine to do this more intelligently, sort of like the IIS plugin but covering the OS.

    NailbunnyPD on
    XBL: NailbunnyPD PSN: NailbunnyPD Origin: NailbunnyPD
    NintendoID: Nailbunny 3DS: 3909-8796-4685
    steam_sig-400.png
  • Options
    Dark ShroudDark Shroud Registered User regular
    edited January 2011
    If you're looking for a better software firewall try Comodo, it's free to use.

    Dark Shroud on
Sign In or Register to comment.