I'm cross posting this, as, it certainly qualifies as an incident.

We also had this exact problem over the weekend. After reading your post, I
contacted a friend how's network is (logically) close to ours. He indicated
that the same problem occurred on thier nets. I can't speak for his
machines, but ours are fully up to current patch levels. I think something
sneaky may be afoot. We're going to start doing an in-depth analysis of our
logs.

Has anyone else seen this type of behavior?

If we find anything in our logs I'll follow up.

> -----Original Message-----
> From: Kledi [mailto:kledikledi.com]
> Sent: Sunday, November 11, 2001 2:25 PM
> To:
> Subject: Strange IIS behavior,
>
>
> Hello,
>
> I am a sysadm for an Internet provider, most of our systems
> are running
> linux, but we have an NT box because some customers require
> ASP. In the last
> couple of days, apparently we are experiencing some DoS
> attacks, and it seems
> hard to figure out where these come from.
>
> What happens is that IIS keeps running, but port 80 does not
> remain open any
> more. If I restart IIS, with the network cable attached, port
> 80 will remain
> open, and I would be able to connect to it (localy). Another
> test I did was I
> disabled our internet connection interfaces on the main routers, and
> restarted IIS, and it did not stop responding. My suspection
> is some kind of
> a DoS attack, but even looking at all the logs of the
> connections to our
> webserver, I do not see any specific host or network that is
> connecting to
> the server frequently.
>
> Any suggestions?
>
> Best Regards,
> Kledi
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]