Would depend on what's actually in the URL, but a couple possibilies are these:
-- buffer overflow - I'm not familiar enough with IIS to know if there is a buffer overflow exploitation where a properly embedded URL within a GET request causes the parser to puke and/or redirect to the embedded URL -- brute force against a known toolkit for ASP / IIS or something else - Developers use a lot of 3rd party tools to develop sites. It's possible that a toolkit has an exploit where a parameter called a particular thing does stuff that the exploiters could find useful -- cross-site scripting - This would depend on what the actual query is about, but it could be trying to inject some .js or somesuch to read cookies from the client machine.
It may not even necessarily be malicious... it could be trying to route higher traffic volumes to the site to drive ad revenue or something.
It's more likely than not that it's a brute force application that takes incoming URLs or scans browser history or just hits webservers at random and sends requests with known exploits hoping to find one. May not even be IIS or your application specific. Just fishing (... or phishing if you prefer)... cause 30-40% of admins don't keep their stuff updated very well.
As for blackholing, yeah, if you have a bunch it can slow things down (it has to scan all incoming packets against the list.) I use a collection of tools to shitcan any ip that sends a request that's not valid or legitimate automatically, so I don't have to maintain a list unless I want to. Periodically I delete the master file and seed it with known bads and it starts over.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
branchandroot
no subject
Date: 2008-02-04 18:23 (UTC)-- buffer overflow - I'm not familiar enough with IIS to know if there is a buffer overflow exploitation where a properly embedded URL within a GET request causes the parser to puke and/or redirect to the embedded URL
-- brute force against a known toolkit for ASP / IIS or something else - Developers use a lot of 3rd party tools to develop sites. It's possible that a toolkit has an exploit where a parameter called a particular thing does stuff that the exploiters could find useful
-- cross-site scripting - This would depend on what the actual query is about, but it could be trying to inject some .js or somesuch to read cookies from the client machine.
It may not even necessarily be malicious... it could be trying to route higher traffic volumes to the site to drive ad revenue or something.
It's more likely than not that it's a brute force application that takes incoming URLs or scans browser history or just hits webservers at random and sends requests with known exploits hoping to find one. May not even be IIS or your application specific. Just fishing (... or phishing if you prefer)... cause 30-40% of admins don't keep their stuff updated very well.
As for blackholing, yeah, if you have a bunch it can slow things down (it has to scan all incoming packets against the list.) I use a collection of tools to shitcan any ip that sends a request that's not valid or legitimate automatically, so I don't have to maintain a list unless I want to. Periodically I delete the master file and seed it with known bads and it starts over.
- Jeho