Thanks. The server is all patched up and latest SP is on.
this morning it took 10 minutes for the server to croak. IIS log was full of PROPFIND requests. They were weird too, because they came from the server's own IP address, however the logged on user was a user that belongs to a customer in Brazil. I was expecting to see the IP address from Brazil. Here is a [modified] example: 2003-07-02 11:59:37 [my.server.ip.address] [EMAIL PROTECTED] W3SVC1 SHFEX02 [my.server.ip.address] 80 PROPFIND /public/ - 500 HTTP/1.1 exchange.hosting.innerhost.com Exchange-Server-Frontend-Proxy/6.0+Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+95) There were A LOT of these in the log. Mixed up with a few records from the "good" customer logons. I ended up configuring the Default Web Site to deny connections from the server's own IP address. Hopefully this will help. -----Original Message----- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 02, 2003 2:11 AM To: Exchange Discussions Subject: Re: something is killing IIS on one of my front-ends Does sound like a DOS attack of some sort (had similar problems with some standard IIS servers). If the logs arent too revealing, get your comms guys to enable incoming logging on the firewalls / firewall routers for traffic destined for your front-end server. Should be easy for them to do. As for blocking the traffic they can do that fairly easily as well, provided its all from the same / similar places (ours was). The problem with trying to block it at the front end server is that by then the box has already seen the traffic and may be too late to stop it. Also (as always) make sure you are running the correct suite of patches on your front-end server. G. ----- Original Message ----- From: "Fyodorov, Andrey" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Tuesday, July 01, 2003 11:06 PM Subject: something is killing IIS on one of my front-ends Recently, I have had problems with one of my front-end Exchange 2000 servers. It looks like IIS gets bogged down with something. Eventually IIS stops responding and resets itself. Earlier this morning, I was just looking at a few things and noticed that all of a sudden IIS got 17,000+ connections at a rate of ~50 per second. I am going to check the logs and try to find out where these connections came from. Hopefully they are all from one place so that I could block that source IP address. And I am fishing for suggestions as to what else I could do to track this down. Thanks _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
