locked
IIS atack every day RRS feed

  • Question

  • User-99878100 posted

    Hi and thanks for your help and sorry for my english.

    I am having a problem every day of week (not saturdays and sundays) at same hour, 15:30. At this hour SQL conections gorws from 7-8 to 50 and web server anonimous connectios grows from 20-30 to 150-200 in few seconds.

    When this occurs i reset the server and it works ok to the next day at same hour.

    I think that is a atack or something like that. I think someone does the atack in his office because de saturdays and sundays i have not the attack.

    What can i do to detect what is happening really? If is an attack, how can i know who is?

    Thanks.

    Natxo.

    Thursday, February 8, 2007 1:56 PM

All replies

  • User1356161706 posted

    Natxo,

    Did you have a look in your logfiles? The IP address of the client will be in there. You can use logparser to do the DNS lookup of the TOP IP addresses.

    The following example gets the TOP20 IP addresses and saves it in OUT.CSV. The second query does the Reverse DNS lookup:

    logparser -i:W3C "SELECT TOP 20 c-ip, count(*) AS ipcount INTO OUT.CSV FROM %windir%\system32\logfiles\w3svc1\*.log GROUP BY c-ip ORDER BY ipcount DESC" -o:csv

    logparser "SELECT REVERSEDNS(c-ip) FROM OUT.CSV" -rtp:-1

    Hope this helps.

     

    Thursday, February 8, 2007 7:30 PM
  • User-823196590 posted
    Could be some type of indexing robot or spider that is scheduled to hit the site at the same time every day.  As Thomas D said, check your logs ...
    Thursday, February 8, 2007 7:39 PM
  • User-99878100 posted

    Thanks Thomad.

    I execute logparser with your commandas using log files of 1, 2, 5,6,7 and 8 of february. There is not a one ip in the first place every day... Because i reset the server is posible that i do not let time to log the ip many times to grow to top 20 ip count. 

    http://www.sasua.net/top20ip.zip

    Here is a graphic to see how grows anonimous users in web server and connections in sql.

    http://www.sasua.net/graficoIIS.jpg

    How can i change the select to view ips betwen 2 hours? for example from 15:25 to 15:35? to see the top ips when the atack occurs...

    Thanks.

    Friday, February 9, 2007 5:07 AM
  • User-99878100 posted

    Hi

    I add to sql :

    WHERE TO_TIMESTAMP(date, time) >= TO_TIMESTAMP('2007-02-06 15:29:00', 'yyyy-MM-dd hh:mm:ss') AND TO_TIMESTAMP(date, time) <= TO_TIMESTAMP('2007-02-06 15:32:00', 'yyyy-MM-dd hh:mm:ss')

    but i do not see one ip more than others every day...

    Thanks

    Friday, February 9, 2007 6:30 AM
  • User989702501 posted

    What do you mean? not same IP?

    From the log file, you should be identify where those request coming from.

     

    Friday, February 9, 2007 7:10 AM
  • User-823196590 posted
    Doesn't make sense, from the level of activitiy you're reporting you should be able to see something.
    Friday, February 9, 2007 9:20 AM
  • User-99878100 posted

    Hi.

    Todays "attack" at 15:08 - 15:10 ip counts:

    http://www.sasua.net/out9.zip

    Graphic Screens:

    http://www.sasua.net/grafico9feb1.jpg at 15:08:41

    http://www.sasua.net/grafico9feb2.jpg at 15:09:44

    I see the first ip but i think is not significant.

    How can i change sql command to view what asp pages are viewed? one asp page can do this? I do not know what can i do now. I do not know the next step to discover what is appening...

    Thanks for you help.

    Natxo.

     

    Friday, February 9, 2007 1:30 PM
  • User-823196590 posted
    Not sure what you expect us to tell with the csv file in the zip.  The seciton of the actual IIS log file would be more helpful.
    Friday, February 9, 2007 2:03 PM
  • User1356161706 posted

    Why don't you try the following:

    Maybe some requests just take much longer and therefore they accumulate. Here is a logparser query that lists all requests that take longer than 10 seconds. Note that you have to add the time-taken field to the log fields that get logged. IIS doesn't add this field by default.

    logparser "SELECT TOP 10 cs-uri-stem, COUNT(*) FROM *.log
    WHERE time-taken > 10000 GROUP BY cs-uri-stem ORDER BY COUNT(*) DESC" –i:IISW3C

    Another idea is to run your query only against your asp pages. Here is an example how to restrict the query to only asp pages:

    logparser -i:IISW3C "SELECT TOP 20 cs-uri-stem, count(*) AS uricount FROM *.log WHERE EXTRACT_TOKEN (cs-uri-stem, -1, '.' ) = 'asp' GROUP BY cs-uri-stem ORDER BY uricount DESC"

    Hope this helps.

    Friday, February 9, 2007 9:57 PM
  • User-99878100 posted

    Hi.

    I add time-taken field, in monday i will have a log file with this field. Should I add any other field to log files?

    I execute de logparser who shows me the asp pages, but i do not see anythink anormal.

    Here you have the log file of day 9 from 15:08 to 15:09

    http://www.sasua.net/ex070209_1508_1509.zip less than 50 KB.

    Thanks for your time and help.

    Natxo.

    Thanks

    Saturday, February 10, 2007 5:32 AM
  • User-823196590 posted

    I don't see a high number of requests coming from any one IP.  I did notice that you are allowing some SQL to be passed in the query string though - that could be dangerous.

    Is it possible that you have some inefficient ASP database code that's causing your server to hang?

    Saturday, February 10, 2007 12:59 PM
  • User-99878100 posted

    It is possible a ineficient asp database code... but the strange think is that only executes one time in a day an in the same hour,... tomorrow monday I hope to see using time-taken field if one page takes a lot of time,...

    Thanks.

    Sunday, February 11, 2007 1:29 PM
  • User-99878100 posted

    Today 2 attacks, but in log files the time-taken value is not ussefull because when "attack" occurs the time to response increases for all asp pages, is not only one page, because in the attack the server not send asp pages because is satured or busy ...

    What can i do?

    Thanks.

     

    Monday, February 12, 2007 1:27 PM
  • User-823196590 posted
    Please post the log entries for the period.
    Monday, February 12, 2007 2:07 PM
  • User989702501 posted

    Can you post the complete IIS log file? then specify the time range is the attack?

    Tuesday, February 13, 2007 4:24 AM
  • User-99878100 posted

    Hi.

    Here is the log file of monday 12 with time-taken field.

    http://www.sasua.net/ex070212.rar 20MB

    I have execute:

    logparser -i:IISW3C "SELECT date,time,c-ip,cs-uri-stem,cs-uri-query,time-taken INTO OUT12.CSV FROM ex070212.log where time-taken>30000"

    and i see many "Terminó_el_tiempo_de_espera" - "wait time out" of SQL SERVER begining at 15:20:20

    The graphic where i see the grow of anonimous users and sql connections begins at 15:36, not the same that log file... The reset of server you can see at 15:46:30 Also i see that in other hours also occurs saturations, at 18:37.

     I have in the server another site with other logs:

    http://www.sasua.net/adm_ex070212.rar 50KB

    In this site they use MS ACCESS and it could have some asp page that takes the server resources... My new question is: can I isolate this site? I have IIS 6. Can i isolate using iis 6 or I must to change to IIS 5.0 isolation system?

    Thanks.

    Tuesday, February 13, 2007 6:14 AM
  • User-99878100 posted

    Here is the graphic:

    http://www.sasua.net/grafico12feb.jpg

    Thanks.

    Tuesday, February 13, 2007 6:16 AM
  • User-823196590 posted
    In this site they use MS ACCESS and it could have some asp page that takes the server resources... My new question is: can I isolate this site? I have IIS 6. Can i isolate using iis 6 or I must to change to IIS 5.0 isolation system?
    Yes - that's a great feature of IIS 6.  You can create a new app pool just for that site to isolate it.
    Tuesday, February 13, 2007 8:14 AM
  • User-99878100 posted

    They are not more "attacks" in 2 weeks. I do not know why,...but i have learn a lot with your help.

     Thanks!

     Natxo.

    Thursday, March 1, 2007 4:40 AM
  • User-823196590 posted

    Fabulous!  We're here if you need us again.

    Thursday, March 1, 2007 4:17 PM
  • User-99878100 posted

    The "attack" is back.

    If i reset the server when is the problem, could be a asp page not be registered in log file because it spends a lot of time? A asp page records in log files when it ends?

    Thanks.

     Natxo.

     

    Wednesday, March 7, 2007 12:19 PM
  • User-823196590 posted
    Have you tried putting this site into its own app pool?
    Wednesday, March 7, 2007 12:37 PM
  • User-99878100 posted

    I have a lot of domains to one ip. All the domains goes to one asp page and then i do redirections, because all uses the same pages and sql database with diferent request values and parameters. But the app pool works using the url?

    I add a new app pool to the domain with more visits.

    I will see what happend today and tell you.

    Thanks.

    Natxo.

     

    Thursday, March 8, 2007 5:19 AM
  • User-823196590 posted

    Back on Feb 13 you said ...

    In this site they use MS ACCESS and it could have some asp page that takes the server resources... My new question is: can I isolate this site? I have IIS 6. Can i isolate using iis 6 or I must to change to IIS 5.0 isolation system?
    Has that changed now?

    Thursday, March 8, 2007 8:13 AM
  • User-99878100 posted

    The site who uses Access is isolated. In graphics i not see that this site have problems,... The anonimous users in this site is 0 when occurs the attack.

    The attack is something, that increases SQL Server connections, but not SLQ SERVER transactions/sec, increases actual anonimous users in web service but not increases web service actual connections.

    But i do not know how detect what is it,... :(

    Thanks.

    Natxo.

     

    Thursday, March 8, 2007 9:55 AM
  • User1073881637 posted

    If I understand your reply, the attack comes on port 80 (HTTP) type requests.  If that is the case and you have logging enabled.  You'll have a record of the request in the logs.  This appears to be someone running a robot scanning your network.  If you accept all requests for an ip address, these types of attacks are common.  One way to minimize robot type attacks is to use host-headers exclusively.

    http://support.microsoft.com/kb/190008

    http://support.microsoft.com/kb/313437

    List of all fields available to be logged.

    http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/676400bc-8969-4aa7-851a-9319490a9bbb.mspx?mfr=true

    Friday, March 9, 2007 2:30 AM
  • User-99878100 posted

    Hi. 

    I put in the server a robots.txt file to stop all robots access to the pages and the attack is not back. I think that now the problem is resolved.

    I do not understand so much your solution Steve, so, i decided to stop all robots.

    Thanks to all !

    Natxo.

    Friday, March 23, 2007 6:35 AM
  • User1073881637 posted
    The robots.txt file is another way to stop 'bots' from indexing your site.  Search engines mostly use these.  Thanks for posting your solution. 
    Friday, March 23, 2007 7:24 AM
  • User-823196590 posted
    Search engines like Google use an automated program to browse, crawl, and index web sites on a peridoic basis.  Well behaved scanners or "bots" know to look for the robots.txt file to know if they are allowed to scan your site.
    Friday, March 23, 2007 7:54 AM
  • User-99878100 posted

    The "attack" is back. It is not the robots,... I will try to obtain logs from sql server to view if i find something,...

    Natxo.

    Tuesday, March 27, 2007 11:29 AM
  • User1073881637 posted
    If this is SQL Server related, you can block port 1433 at your firewall.
    Wednesday, March 28, 2007 10:40 PM