I'm dealing with an ASP site that has been experiencing some downtime recently. It appears that connections from overseas have been flooding the site.
The most recent was last night. The site is a mix of Frontpage (I KNOW I KNOW) and asp. The frontpage sites were ok but the ASP pages were showing No data received error 324 or 'too many connections'.
The host was showing an average of about 200 pageviews a day but there were 2 days where that spiked to 8000 and 10000. I have to do some more research on the raw logs but that sounds like a possible dictionary attack.
Anyway, my question is, does anyone know of any type of firewall that could be plugged into a site like that? I am using an extension in Joomla that will look at incoming requests and block suspicious activity. I also have a product that does that running on a windows server to protect against brute force attacks on the RDP
Another question is that a quick look at the logs does not seem to show the IP traffic that would indicate an attack. My guess is that the actual attack is directed against the hosting control panel. If so, then there probably is little we can do other than to switch hosts. Does that sound logical?
Last question first... It's probably as likely the attack is against the domain name as the IP/hoster so moving may not fix the problem. Find out the real target before doing anything rash.
Presumably you are aware of the firewall on windows OS but if it's a virtual machine (ie you do not rent the hardware or have full access to it) then that's not an answer.
A few years ago I used VisNetic as a firewall (another software solution). More versatile than the MS offering but the same problem as above if you do not have full server access. Plus, it's easier with VisNetic to lock yourself out. :(
If you have data centre access you might be able to put in a hardware firewall. More versatile still but less likely to be a solution.
If things aren't showing in site logs then look at other possibilities including (sad to say) a virus on the machine that's using your site to call out to others. Don't know about joomla but wordpress is a nightmare at the moment.
@Dstiles - Thanks for the input.. I have some more info.
It appears it was an attack from one country.. I still have to go through the logs to try to see what they were trying to do.
The client is a very small businesses in a nice little niche. They are only using shared hosting so the windows firewall or a hardware firewall would not work. From what I've seen so far, it looks like it was all incoming traffic and not outgoing. I checked the file dates of the ASP files and everything looks in order (although a smart hacker would change the file without changing the file dates(.
I run an ASP-based website that server hundreds of thousands of page views a day.
A Firewall won't do it. You might be lucky with an WAF (Web Application Firewall) but those cost money.
Without knowing details of your specific situation, it's hard to say but here are things you should use. Some require IIS 7 or IIS 8:
- IIS URL Request Filtering with some rules to make sure only some HTTP verbs are allowed (you might want to check your logs to see if there is anything but GET/POST/HEAD). Also worth adding a rule to block SQL Injection attempts
- IIS Dynamic IP Restrictions: automatically block requests from IP addresses after a certain specified number of requests per second or number of simultaneous requests.
- If you do not use ASP sessions or if you use a shared session implement IIS Web Garden so multiple IIS workers process ASP requests so that a long request won't block other short requests.
- Consider using Cloudflare as a frontend. Even the free one should be enough for you.
If you still have problems, search for my handle on the interwebs and you will know how to contact me.