What may cause sudden bursts of requests in an ASP.NET application for a particular session?

Question

Problem:

I found that certain sessions are sending a heavy burst of requests to some of my .aspx pages. Some of them are sending requests to my login page also. I tried to find out if this is a dictionary attack but on checking the IIS logs found that the csBytes is not varying for large number of requests. So, a dictionary attack is less likely. I then checked if somebody is trying a Denial of Service but that also seems unlikely since the burst subsides after a short duration (usually after a minute or so).

Some of the patterns that emerged while I was doing the investigation are:

1. Some sessions are hitting my login page but in very small bursts. The peak hits/min. (including javascripts, images etc. and not just the page hits) went as high as 2k for some sessions but the total hits for that session may be 4-5K which means that something caused the spike but then the activity went back to normal. From these sessions some users also successfully logged in but they did nothing unusual and some of them are trusted users. I don't suspect them to do anything weird. I have a hunch that this might be caused by a bug in the browser or in our application.
2. Some sessions are hitting the login page big time -- around 2.5k hits/min -- but all these are GET requests which is weird. This could be a DoS attempt. The total hits have reached 20k for some of the sessions but there are other sessions where peak has touched .5K but avg activity/min could be as low as 20 requests. Most of these are coming from Firefox 3.6.x. I'm currently checking whether there's any known issue in FF which may explain this because in this case our app is not even doing anything.

Technical Details:

• Application was developed in ASP.NET 2.0
• Deployed on IIS 7
• Browsers causing issues: Firefox 3.6.x (sending huge amount of GET), IE 7/8 (POST requests to different pages)

I've given a bare-bone intro on the issue. Let me know if you require more information to dig further.

Update:
When I said that 20 requests/min from a session are normal I meant all requests including associated javascripts/images.

Answer 1

You tagged this with 'Security', so I'm not 100% sure if you are really looking for possible errors in the application itself which could cause this, but anyway...

Those rates are definitely not 'natural' - no normal, physical user would even (re)load a page a 'mere' 20-times per minute, much less the other times you have shown.

I would first look at the payload of the requests in-depth and make sure there is nothing malicious there. You have a lot of log entries which seem to bear looking into more, to see if you are experiencing dictionary-type attacks, or perhaps even something else, like probing for XSS or SQL Injection vulnerabilities. Many of your 'spurts' seem to suggest some simple vulnerability probing, perhaps as opposed to dictionary attacks.

But the methodology (and indeed, any tools/processes you would use) for mitigating attacks is very different from what you would be doing for potential application bugs causing unintended requests.

---

For that, I would cross-reference the frequently-loaded URLs with the referer information in the logs for those requests, and verify that the referers are capable of producing such URLs; perhaps dynamically, or even client-side, via Ajax. Mis-used Ajax updates could actually be the cause, in fact. But if all the referer values on those hits are 'incorrect' or invalid, this is likely some sort of attack or probe, perhaps rather than an app bug.

But if the referer info does lead to a valid page, you then at least have someplace to look.