Win-17 Responding Slow

We are working to isolate which domain is being targetted, most of the logs are coming in on a basis that isn't showing the attacked site, if there is one (it may just be attacking the IP after getting it from DNS)
 
The attacks have stopped, but on their own. I know what they were doing (actually causing IIS app pool to crash), but had not found the exact target domain yet. I am still monitoring closely.
 
New wave came in, less than prior and a bit more in control, but working to fully stop it.
 
Pretty sure I nailed the culprit, which was a perl script that was running and was hard to see due to the momentary slowness and by the time it was responding it was gone.
 
This has returned now with some new perl targets, and now ASP as well. Being tracked, and stopped but taking some time.
 
one major ASP source of the issue is stopped now. One of the issues here is how IIS handles POST requests that are coming in from bots ina forced manner, even if the file is no longer existing they still hit the server and have a longer process before being denied making slowness, which should not normally be an issue but a large amount of such POSTs coming in, like yesterday in waves.
 
What is going on is that a large scale form/search spam botnet has rather aggressively gone after multiple sites on the shared IP, a number of them under one user and linked together. Then they are massively submitting all kinds of 'search spam' (which can be seen in the logs) with just all kinds of crazy queries in any form that is open at all, mail form, search a site form, etc. Also anything like this is getting a massive amount of POSTs from the same bots for if it is allowing a submission of these queries, that is why it is going perl/php/asp/asp.net etc. This is normal and to be expected on a small scale but this is quite a large scale of it and when you close one area, it comes back with a new. We've made good progress and found the best place now to keep up with the latest attempts.
 
These are still hitting in waves. It works well, then a wave. I have profiled out the top 100 IPs doing it and starting to block them now.

I tried to avoid this as sometimes you get innocents, but it is simply going on too long
 
As I got the first 15 or so blocked it worked for a short time, then the new IPs started flooding in, they seem to be in some similar net ranges and it is time to stop blocking down blocks on ranges.
 
While things are looking better, and more than top 50 IPs now blocked there are times of slowness still. If you want to move your site to another server we won't deny the request, but I will want to check your logs first to make sure the attacks won't just follow you to a new server as well.
 
This is rather insane, I get so many blocked, and entirely new ranges come in. Most so far are from Ukraine and Latvia ISPs and they have a lot of allocations.

I am going to remove the server shared IP for about 5 minutes and see what we get.
 
We'd been doing pretty well except a few 30-40 sec patches since the last update but just now a larger wave is coming in and I am working to stop the new IPs.
 
Win17 overall is not timing out anymore, however there are still waves of these spambot attacks. I blocked over 2000 IPs(some in small netblock range blocks) yesterday and for all I block it seems at least 1:1 ratio of them coming back with entirely new netblocks. Now the impacts are much more minor, lasting only 20 seconds to a minute and then coming into control generally without our intervention.
 
After working pretty well most of the day it has just gone REALLY slow, I am on the case now.
 
Issues had not been too bad over the weekend, but just got a large burst of attack, of course as I was going out for the day and turned around to handle it quickly. I ended up rebooting as it was very slow. It will be up in just moments.
 
You must log in or register to reply here.
Back
Top