Possible DoS Not sure?



Joe
07-09-2005, 10:52 PM
Hello,

I have never been under attack before however I am getting this in my W2k3
event viewer

The server has detected a potential Denial-of-Service attack caused by
consuming all the work-items. Some connections were disconnected to protect
against this. If this is not the case, please raise the MaxWorkItems for the
server or disable DoS detection. This event will not be logged again for 24
hours.

The event ID is 2027

I do not know if I am my webs are up and accessible. What is MaxWorkItems?
Thank you
Joe

Steven L Umbach
07-09-2005, 10:53 PM
You may also want to post in the IIS security newsgroup. Apparently it means
your server dropped some connections because it was under heavy load that
was exceeding its capability as currently configured. That can be caused by
a denial of service attack or the server could just have been overloaded -
possibly just temporally. MaxWorkItems refers to a registry setting for the
tcp/ip stack and is referenced in the articles at the links below.

http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58688.asp
or in case of line wrap.
http://tinyurl.com/5spt8
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx

IIS 6.0 is much more secure that older versions of IIS out of the box but
you still should run the Microsoft Baseline Security Analyzer to make sure
you are current with critical security updates and such. --- Steve

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

"Joe" <Joe@discussions.microsoft.com> wrote in message
news:067EBADD-D87C-4D22-99EE-9BBD2FD8C750@microsoft.com...
> Hello,
>
> I have never been under attack before however I am getting this in my W2k3
> event viewer
>
> The server has detected a potential Denial-of-Service attack caused by
> consuming all the work-items. Some connections were disconnected to
> protect
> against this. If this is not the case, please raise the MaxWorkItems for
> the
> server or disable DoS detection. This event will not be logged again for
> 24
> hours.
>
> The event ID is 2027
>
> I do not know if I am my webs are up and accessible. What is MaxWorkItems?
> Thank you
> Joe

Srikrishna Komatineni
07-09-2005, 10:53 PM
The thing is still we need to use our brains to decide...:) Ofcourse thats
what we are for and for the same we are getting our pay checks...First thing
is try to look in to the max connections the server is getting at the
moment..its very difficult to understand n pinpoint the bad traffic...If
your servers are protected by a firewall you can get some good info from
there as well...




"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%23WGAcsLZFHA.3220@TK2MSFTNGP14.phx.gbl...
> You may also want to post in the IIS security newsgroup. Apparently it
> means your server dropped some connections because it was under heavy load
> that was exceeding its capability as currently configured. That can be
> caused by a denial of service attack or the server could just have been
> overloaded - possibly just temporally. MaxWorkItems refers to a registry
> setting for the tcp/ip stack and is referenced in the articles at the
> links below.
>
> http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58688.asp
> or in case of line wrap.
> http://tinyurl.com/5spt8
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx
>
> IIS 6.0 is much more secure that older versions of IIS out of the box but
> you still should run the Microsoft Baseline Security Analyzer to make sure
> you are current with critical security updates and such. --- Steve
>
> http://www.microsoft.com/technet/security/tools/mbsahome.mspx
>
> "Joe" <Joe@discussions.microsoft.com> wrote in message
> news:067EBADD-D87C-4D22-99EE-9BBD2FD8C750@microsoft.com...
>> Hello,
>>
>> I have never been under attack before however I am getting this in my
>> W2k3
>> event viewer
>>
>> The server has detected a potential Denial-of-Service attack caused by
>> consuming all the work-items. Some connections were disconnected to
>> protect
>> against this. If this is not the case, please raise the MaxWorkItems for
>> the
>> server or disable DoS detection. This event will not be logged again for
>> 24
>> hours.
>>
>> The event ID is 2027
>>
>> I do not know if I am my webs are up and accessible. What is
>> MaxWorkItems?
>> Thank you
>> Joe
>
>

Joe
07-09-2005, 10:53 PM
Thank you for your reply,

I am going to as a question here that may suprise you.

How can I check the max number of connections the server is getting?

Second I have RRAS and NAT and no router.
Thank you
Joe

"Srikrishna Komatineni" wrote:

> The thing is still we need to use our brains to decide...:) Ofcourse thats
> what we are for and for the same we are getting our pay checks...First thing
> is try to look in to the max connections the server is getting at the
> moment..its very difficult to understand n pinpoint the bad traffic...If
> your servers are protected by a firewall you can get some good info from
> there as well...
>
>
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:%23WGAcsLZFHA.3220@TK2MSFTNGP14.phx.gbl...
> > You may also want to post in the IIS security newsgroup. Apparently it
> > means your server dropped some connections because it was under heavy load
> > that was exceeding its capability as currently configured. That can be
> > caused by a denial of service attack or the server could just have been
> > overloaded - possibly just temporally. MaxWorkItems refers to a registry
> > setting for the tcp/ip stack and is referenced in the articles at the
> > links below.
> >
> > http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58688.asp
> > or in case of line wrap.
> > http://tinyurl.com/5spt8
> > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx
> >
> > IIS 6.0 is much more secure that older versions of IIS out of the box but
> > you still should run the Microsoft Baseline Security Analyzer to make sure
> > you are current with critical security updates and such. --- Steve
> >
> > http://www.microsoft.com/technet/security/tools/mbsahome.mspx
> >
> > "Joe" <Joe@discussions.microsoft.com> wrote in message
> > news:067EBADD-D87C-4D22-99EE-9BBD2FD8C750@microsoft.com...
> >> Hello,
> >>
> >> I have never been under attack before however I am getting this in my
> >> W2k3
> >> event viewer
> >>
> >> The server has detected a potential Denial-of-Service attack caused by
> >> consuming all the work-items. Some connections were disconnected to
> >> protect
> >> against this. If this is not the case, please raise the MaxWorkItems for
> >> the
> >> server or disable DoS detection. This event will not be logged again for
> >> 24
> >> hours.
> >>
> >> The event ID is 2027
> >>
> >> I do not know if I am my webs are up and accessible. What is
> >> MaxWorkItems?
> >> Thank you
> >> Joe
> >
> >
>
>
>


Possible DoS Not sure?