Written August 11, 2008 in punditry
This is all it takes to knock down a site running IIS. And you have to have a complex URL filtering tool in place to keep it from happening. It’s not secure out of the box, it’s not secure without some work, and even when your site isn’t running a database backend an automated SQL injection attack can still hose your entire website.
Christ.
And this is supposed to be “enterprise-ready” software?
8 comments on ' Why I don’t like IIS… '
-
I fail to see why this is the fault of IIS? Any web application is subject to DoS and injection. Even the one you’re using here…
So to be perfectly clear - you don’t like IIS because it doesn’t auto set querystring length to a given value?
Should they do the same for HTTP POST? Cookies? There’s more than one way to push a DoS attack my friend.
Written by Rob Conery on August 13, 2008 at 5:23pm
-
Show me a Web Server that deals with DoS out of the box. No? Thought so.
This has nothing to do with security this has to do with traffic to the box which affects ANY web server. It doesn’t bring down any sites but it’s traffic that affects bandwidth and request servicing if not filtered.
No different on Apache or any other server - you need to actively monitor your inbound traffic and determine problem content and filter it out. Unfortunately this is a fact of life in network administration these days and it applies to ALL servers.
In fact I run IIS and Apache on the same box and BOTH are being attacked by the same issue with exactly the same effects. So out of the box Apache is no better - I have to screw with filters the same as IIS.
Fair’s fair, but this is just a bit of misinformed spouting and you don’t even recognize the real issue (which has ZERO to do with security).
Written by Rick Strahl on August 13, 2008 at 5:34pm
-
Not sure where the DoS fud is coming from. No webserver can handle a heavy enough DoS attack out of the box, and I don’t see anywhere where I made that claim. Scott added that big “DDoS” disclaimer well after I wrote my post.
I was concerned mainly with this line: “Unfortunately, the application was still trying to map these query strings to blog posts, and the result took my blog down.”
Apache routes, by default, spurious requests for files that do not exist to the bitbucket. The same querystring that he posted as an example of his attack would receive a very quick 404 and Apache moves on and goes about it’s business. Even if a more detailed attack was written that specifically reloaded specific files on my site over and over, I’m running a cache behind the scenes that makes it (again) a fast operation to check the request against a list of possible valid requests and 404 any invalid requests. About the only thing that someone could do to DoS my current Wordpress setup would be to submit spam comments over and over, which could load down the database a bit, but I’d probably just jump in real quick from console and flip a bit in Wordpress to shut off commenting — and Bam!, I’m back online.
Look at the apache default ruleset sometimes - it starts by denying everything and adds exceptions for things that specifically exist. My experience with the IIS default ruleset is that it accepts everything, which is why you need complicated filters like URLScan.
Written by karlkatzke on August 13, 2008 at 6:12pm
-
Which version of IIS are you talking about? There are quite a few, each with their own advantages / issues.
Mapping requests to files? Most websites dont work that way, and code is executed at the other end. This code often doesn’t protect itself enough against very many various forms of attacks.
Comparing Apache and IIS in this instance is completely irrelevant.
Written by Sebastien Lambla on August 13, 2008 at 6:34pm
-
Sebastien, I’ve got at most a basic understanding of IIS configuration, so I’m certainly not qualified to discuss the merits of versions and advantages/disadvantages when making a choice.
How is comparing Apache and IIS irrelevant? That’s what my post did — compare Apache’s way of securing things to IIS’s way of securing things. IIS needs a complicated rule filtering add-on and you still can get DDoS’d by a botnet, which sucks. Apache doesn’t need complicated rule filtering add-on and it’s difficult to get DDoS’d by a botnet unless the attack is specifically targeted at a weakness in your particular configuration.
-
“you need complicated filters like URLScan” - everything has to be a drama, ain’t it?
What’s complicated about tool one just installs and … done… Jeez! I wish all of the software would be that easy to use! BTW, most of the URLScan features come built-in to IIS 6.0
Written by Serge Baranovsky on August 13, 2008 at 6:42pm
-
>>>Not sure where the DoS fud is coming from. No webserver can handle a heavy enough DoS attack out of the box, and I don’t see anywhere where I made that claim. Scott added that big “DDoS” disclaimer well after I wrote my post.<<>I’ve got at most a basic understanding of IIS configuration, so I’m certainly not qualified to discuss the merits of versions and advantages/disadvantages when making a choice.<<<
I’ve been using Apache and IIS for a very long time and as Rick says, preventing this attack is not handled out of the box. The issue is that you’ve written a pretty gnarly post with only a “basic” understanding of the technology. It’s up to you to hate what you don’t fully understand… but then again these are the responses you’re going to get.
-
And mod_rewrite’s been included with most distributions of Apache since god knows when. Your point?
Rob, if you think this post is gnarly you should see what I’ve said about certain Linux tools. I’ve had enough experience with Windows administration that I don’t really care to gain more — my roommate is a Windows admin, and we chat enough about work to cover the basics. He’s actually refused to talk about things recently since the conversations usually go something like, “I had to install OWA with SSL support today, and it took me a few hours.” “Oh? I typed `yum install horde` and it worked.”
Leave a comment
categories
-
apple
centos
fedora
first application
howto
linux
meta
mysql
opensuse
packagekit
photography
php
punditry
puppy
reading list
reviews
symfony
sysadmin
Uncategorized
webdev
wordpress
zend framework
subscribe
If you enjoy the content, consider subscribing to the feed(s).
Entries RSS
Jump to comments