Our web server is being subject to a Denial of Service attack. This began near the end of 2010, and we thought it was addressed. The site was moved to a hosted VM server running Windows Server 2008 64-bit running IIS7. We use 2 plugins to block the attacks. The built in IPv4 Address and Domain Restrictions allows us to block ranges of IP from where the attacks are sourced. I used ARIN.net to find out the range assigned to the ISP, and if it was RIPE or Latin American or Asia Pacific Class A network it got blocked. The plugin
Dynamic IP Restrictions seemed to block everything else. I also had to disable logging to prevent the HDD from filling, but aside from that, these worked great.
Until this morning. Now we are being attacked differently. The attacks are causing 503 QueueFull errors, and these are causing a surge of logs in C:\windows\system32\LogFiles\HTTPERR\ that look like this:
2011-01-26 22:24:16 83.20.9.145 28581 <our server IP> 80 HTTP/1.1 GET / 503 1 QueueFull Classic+.NET+AppPool
(The above IP is part of a blocked Class A range.)
I've gone through and checked the configuration of the plugins, and made sure they were applied at the server level and inherited by the sites. Same with the log settings. If I start the main site, the one being attacked, the site will quickly crash and these errors and logs will build up very fast.
I'm stumped as to what else I can do (aside from upgrading to even more expensive hosting account to get hardware firewall protection.) Help?
Posts
I wish there was a software firewall that I could run on the machine to do this more intelligently, sort of like the IIS plugin but covering the OS.
NintendoID: Nailbunny 3DS: 3909-8796-4685