Forum Moderators: open
I have been getting nailed with a DOS attack. The urls that my server get nailed with our non-stop, by the thousands, requesting invalid URLS.
The weakness my setup has is my part numbers has / in them. From what I have been told, this means "to call upon a sub folder" and that is why my web server is still returning valid pages even though the last portion of the URL is invalid.
I was told I need to stop these before IIS processes the request. Is there a way to filter these in IIS. I tried URL scan, but really didnt work. The request ALWAYS come in requesting the SAME invalid folders in a long character url.
HELP ME. Any ideas?
I have contacted my host to see if they can filter these thousands of incoming requests but have yet to hear back.
I have been getting nailed with a DOS attack.
I'm not too certain this would be classified as a DOS Attack. But the word Attack describes it well, huh? :(
The urls that my server get nailed with our non-stop, by the thousands, requesting invalid URLS.
When you say invalid, do you mean they return a 404 server response? Or, can you browse those URIs that are being generated and see a page that returns a 200 server response?
I have contacted my host to see if they can filter these thousands of incoming requests but have yet to hear back.
That is probably your only option at this point. Someone has to stop it at the server. Unless you have a facility in place and can intercept those requests, trap them and do whatever.
I'm more concerned about the "invalid URIs" comment...
My server does not return a 404. It returns the valid page with a 200 response. However, the URL is valid because my part numbers have a / character in them, and it seems the attacks take advantage of URLS with a / in the part number to call upon these invalid sub folders.
For example, a invalid url request which I will get flooded with is http://www.example.com/moreinfo.int?itemno=product55/2/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/topbar.js/data.js
The url that is VALID is: http://www.example.com/moreinfo.int?itemno=product55/2
Anything after that is just added characters that are invalid and shouldn't be calling upon those invalid folders for any reason. Notice how they call up my item numbers that contain a / in the part number (which is part of the url)
Any other ideas?
Thanks!
[edited by: Lightguy1 at 4:07 pm (utc) on June 16, 2008]
[edited by: engine at 4:53 pm (utc) on June 16, 2008]
[edit reason] examplified [/edit]
Any other ideas?
Competitive sabotage? If those invalid URIs are returning a 200 server header, that is a major problem. If you were to search the SEs for those strings, are they appearing in the indices? If so, I'd be more apt to believe that you are being sabotaged either intentionally or it could be accidentally. But, based on how you've described it, I'd say it was intentional. Someone, something have discovered a major flaw in your technical implementation and are now capitalizing on that. I could be talking out my "you know what" but what you describe sure sounds like a common practice these days.
That trailing forward slash in the part number I believe is going to cause major challenges for you.
My programmer told me I need to filter the request in IIS so IIS will just not process it. Is there any program I can addon to IIS that will filter these out?
If I search in SEs, I will not see these URLS as results.
If this is a recent occurrence, it would take a little time before the results of the spidering taking place right now are visible.
It is not google bot or any other SE bots trying to call these URLs.
Understood. But, it may be a bot programmed to index every possible URI scenario from your architecture. Usually they are a bit more stealthy and unless you watch your 404s like a hawk, you may not detect what is going on.
My programmer told me I need to filter the request in IIS so IIS will just not process it. Is there any program I can addon to IIS that will filter these out?
Yes. ISAPI_Rewrite is one third party program that can be utilized to do what you need to do. Any invalid URI should be returning a 404 and not a 200, that's a major flaw in the dynamics and may be the reason why you are under attack right now.
Also, that trailing forward slash in the part number I believe is going to cause major challenges for you. Did I say that before? ;)
My site does return a proper 404 for invalid items, but not if the item number contains the / in it. I am somewhat familiar with ISAPI_Rewrite, how would that be implemented in this occasion? To rewrite my URLs so they do not contain a trailing slash?
Thanks !
For example, a invalid url request which I will get flooded with is http://www.example.com/moreinfo.int?itemno=product55/2/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/js/topbar.js/data.js
Looks to me to be an endless 301 loop.
Looks to me to be an endless 301 loop.
Good catch, didn't even think of that. But it is endless, I count 30 loops.
And then we have to look at the angle of when one sabotages themselves. That happens everyday too. :(
Thanks
But it is endless, I count 30 loops.
The visitor will eventually give up and move on to another page or the server will bog down and drop the connection.
Lightguy1, if it is a 301 loop I can't help you. I'm not familiar with M$ servers.
It does not seem that they are gaining access to anything, just interrupting my service by all these constant requests.
Are you using URL rewrite software anywhere?
Are you doing automatic redirects anywhere?
I do automatic redirects for my old pages which get a 301 redirect and then I also send a redirect 404 for invalid pages.
I do automatic redirects for my old pages which get a 301 redirect.
How exactly are you doing that? And, are you using relative path references (../../) in the process? Just a thought...
