Request from help from administrators of IIS servers. From mid October onwards the servers I'm looking after have seen a huge increase in traffic (five+ fold). On investigation I've noticed at the same time thousands of rejection notices in URLScan's logs ...

[10-17-2003 - 09:08:06] Client at [random IP address]: Sent verb 'SEARCH', which is not specifically allowed. Request will be rejected.

... where [random IP address] is ... a random IP address.

Google searchs have brought up a few "me toos" and "URLScan is blocking what looks like a DOS attack. It's blocking it so who cares?".

I want to know if anyone knows what it is exactly and what to do about it, if anything.

Note 1: My servers are fully patched and running URLScan, thanks.

Note 2: This article seems to indicated that the SEARCH verb is used in WevDAV/NTDLL.DLL attacks. But surely they'd just try one and move on?