I was reading some posts on Twitter the past couple days and noticed some Tweets from Phil Haack and Scott Hanselman regarding an attack on their web servers for their blogs which caused a large spike in traffic. They determined it was some type of Distributed Denial of Service (DDOS) attack. I decided to check out my own server which I host this site and to my surprise, the same thing had been happening to me all day with an increase in traffic 10x.
I reviewed my server logs and saw some really large QueryStrings being sent which looked like this:
2008-08-08 05:51:53 W3SVC2557 SV2419 126.96.36.199 GET /asp-net/feed/ ‘;DECLARE%[email protected]%20CHAR(4000);SET%[email protected]=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F43757273
F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 – 188.8.131.52 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;
+Zango+10.3.74.0) – – accidentaltechnologist.com 200 0 0 27171 1514 3328
It appears this is more of a SQL Injection attack and not just simply a DDOS. You can see the EXEC(@S) where they are trying to execute some nasty SQL on my server. Rick Strahl has also had some similar problems and he addresses the issue in IIS 7.0.
Not being what to do, I went to Twitter, pinged Scott to see what he did to stop the attack and he suggested URLScan from Microsoft. Of course, this is tool I used to use back in the day of supporting clients web servers to help ward off unfriendly visitors. I had forgotten all about this tool until Scott mentioned it.
I downloaded URLScan from Microsoft and promptly installed it on my web server and the DDOS attack stopped almost instantly. The current version of URLScan is 2.5 which says it only works on IIS 6.0, but a beta version of URLScan 3.0 is available for IIS 5.1, 6.0, and 7.0.
Thank you Scott for the quick reply and suggestion to fix my problem.