Dealing With Denial of Service Attacks

Aug 22, 2008 security aspnet suggest edit

As Scott wrote last week, using a punny title I have to admire, he and I (among many others) were both the subject of a DoS (Denial of Service) attack. Looking through my logs, it looks to actually be a DDoS (Distributed Denial of Service) attack coming from multiple IP addresses.

The attack appears to actually be an attempt at a SQL Injection attack, but for his blog, which stores its data in XML files, that is entirely pointless. For my blog, which doesn’t do any inline SQL, it’s also mostly pointless. So far, the SQL injection part of the attack has failed, but it has succeeded in pegging my CPU. Maybe that’s the actual intended goal. Only the attacker knows.

LogParser Queries

The first clue (besides my site being down) is that my log file for today is huge at 9:00 AM.

log-files

The next step is to run some queries against my logs using the fantastic LogParser tool. This post, entitled Forensic Log Parsing with Microsoft’s LogParser is a great resource for constructing queries. The focus tends to be more on investigating an actual intrusion. The queries I need are to discover what kind of DoS attack I’m experiencing. Here’s the query I’m using so far…

  logparser "SELECT c-ip, COUNT(*), STRLEN(cs-uri-query) as LENGTH, cs-uri-query 
  FROM C:\WINDOWS\system32\LogFiles\W3SVC1\ex080822.log 
  GROUP BY Length, cs-uri-query, c-ip 
  HAVING Length > 500 
  ORDER BY LENGTH DESC" -rtp:-1 > long-query.txt

Note that I’m running this for a single log file for the day. I could use a wildcard and run this for all my log files. The very last snippet, > long-query.txt, pipes the output to a text file. Here’s a snippet of one of the query strings I’m seeing:

?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST…*snip*…%20AS%20CHAR(4000));EXEC(@S);

The length of these query strings are all very long. Interestingly enough, there’s no smooth transition in length. For example, there are no query strings of length 500 – 1000.

URL Scan

I then went and installed URLScan 3.0 Beta, which Scott wrote about, and went into the configuration file (located at C:\WINDOWS\system32\inetsrv\urlscan\UrlScan.ini by default and changed the following setting near the bottom:

  MaxQueryString=2048

From its default of 2048 to another smaller value.

The other setting I changed is to allow dots in the path because I have many URLs that contain dots.

  AllowDotInPath=1

Found a typo or mistake in the post? suggest edit

Comments

21 responses

Dale Ragan • August 21st, 2008
I was wondering what happened. I was trying to find some resources on ASP.NET MVC yesterday from you and site was running really slow.
Glad to see you're back up.
haacked • August 22nd, 2008
Thanks! Me too!
Mike Brown • August 22nd, 2008
Phil,
Did you know Julius Carry (AKA Shonuff) died of pancreatic cancer recently? blogs.bet.com/.../?cid=idnb
I do love that movie though...I'll probably watch it tonight.
Wili • August 22nd, 2008
I have seen this show up also on our server. Does anyone know what kind of SQL injection attack it is? What will it do to SQL Server it it was allowed to run?
Sergey • August 22nd, 2008
Congrats with successful fighting because I also noticed today some *lag* :) Now it seems to work smoothly. Btw seems this line "From its default of 2048 to another smaller value." should be one paragraph above ;)
Andrei Rînea • August 22nd, 2008
I am not very educated in the (D)DoS area but I guess you could very well study the behavior of a site and learn which requests take the longest time. These might be requests that take a lot of CPU and/or RAM and/or other resources (Network I/O, Disk I/O etc.)
Then you might pound the site from multiple IPs for these certain requests and peg the CPU for a while (until your IPs get banned or sth...)
Phil, maybe you could delight us with a post regarding how (D)DoS's work and how we can efficiently protect against them.
Thanks,
Andrei.
Rod Mac • August 22nd, 2008
I am experiencing something very similar (lines and lines of declares then encoded characters) and it appears to be an append to a query string in the vain hope that a stored procedure is somehow going to accept a verbose string as a param instead of an integer. It is very weird and happens almost hourly. The site is not down though and I've thought about a redirect back to the mitigating IP address. Is someone trying to overwhelm SQL Server but to gain what? If anyone's got any light on this, would like to hear.
HeartattacK • August 22nd, 2008
Great...err...phil....could you please change your gravatar? It's so not you...and it kind of scares me (everytime I look at it) :)
George McKee • August 22nd, 2008
Wili asked what this SQL Injection attack will do. This looks identical to an attack I saw on one of my classic ASP sites in late April and early May. If sucessful the SQL script (which is binary encoded) injects an XSS script tag into every (n)varchar field of every table in your database. The length of the varchar fields affected must be about 50 characters or larger to be affected. Cleaning up this mess is a real PITA. Besides validating the length and data type of anything collected off the query string other things you can do to protect yourself is to limit the length of an allowable query string and disallow SQL reserved words like DECLARE or CAST or EXEC.
Edward J. Stembler • August 22nd, 2008
I wonder if you or anyone else can offer up anything more substantial?
Are there are any automated tools or utilities out there to help identify an attack? Anything which could automatically block the attackers?
Last year when I discovered my SQL Server database was the subject of a brute force attack, I was able to block the attacks via manually creating an IP/Sec policy.
I wonder if IP/Sec could be used similarly to block a DDoS or DoS attack? I'm no expert when it comes to IP/Sec, and found it pretty tedious/confusing to setup last year.
Steve Sheldon • August 22nd, 2008
The attack appears to actually be an attempt at a SQL Injection attack

Uhh, this stupid thing has been spreading across the Internet for about the last 4 months. It's not DDoS, it's a worm. It's really quite clever. The SQL it's inserting tells it to look at all tables and append javascript to any of the varchar columns.
URLScan is a good way of stopping it.
The other thing, apparently the worm is searching google for .asp and .aspx extensions.
mark • August 22nd, 2008
for these types of attack, i wonder which http status code is best to return? maybe 404?
Denny Ferrassoli • August 23rd, 2008
More info about these SQL Injection attacks can be found here: www.lockergnome.com/.../sql-injection-attacks-i...
Abdu • August 24th, 2008
I use Simple DNS Plus as my dns server software which has a nice feature of automatically blocking ip addresses which exceeded a number of requests per second or per minute. (One can exempt ip addresses). Effectively blocking DDOS attacks. It takes a lot less CPU there than letting IIS use URL Scan to handle these attacks.
You can probably do the same thing through your firewall if the firewall supports that.
URLScan is doing too much work to eliminate these attacks. While it can be effective, it's at the expense of CPU cycles.
Abdu
Edward J. Stembler • August 25th, 2008
I recently upgraded to a new router which supports SPI:

The SPI (Stateful Packet Inpection) Firewall protects your LAN against Denial of Service attacks.
Janet • September 27th, 2008
Recently my website got DDOS attack, and my server went down for 24 hours. I hope your Tips will help in future attacks.
Rob Reid • October 2nd, 2008
The majority of these automated hackbots originate in China or Russia so if you wanted to eliminate 90% of attacks you could block those countries. There is a tool widely available that the hackers use to create an attack. They just enter the URLs that they want injected and press the run button. The bot then uses Google to find sites to attack and then tampers with as many URLs as possible in the hope of coming across a hole in the site. I would say this isn't really an SQL DOS attack as they tend to consume your DB servers CPU by running long winded queries involving convaluted LIKE and OR statements in the hope of searching all your data and returning no records.
The fact that your CPU was hit may just be down to the frequency and number of these automated bots that are currently doing the rounds. I was logging 2000+ attempts of this form of SQL injection up until a few months ago. I have reduced the number of logged attempts down to less than 5 day now by using ISAPI rewrite rules to redirect any requests containing the 3 most common SQL injection fingerprints about to a banned page.
You can see details of the rules and other quick fix "plasters" on an article I wrote about the matter.
blog.strictly-software.com/.../...ection-hack.html
Hussain • January 22nd, 2009
I want to learn Denial Of service attacks.What can i do?
vijay • January 26th, 2010
your blog is so interesting and wonderful that I can't go back from it though in very busy schedule of mine.
cheers
toplist • April 30th, 2010
Recently my website got DDOS attack, and my server went down for 24 hours. I hope your Tips will help in future attacks.
ulf • October 7th, 2010
They just enter the URLs that they want injected and press the run button. Übersetzung Deutsch Englisch