Here's what i have, what's happening, and what i need to do.... Lot's of points here to split or give to one person..
firewall (can't think of name right now, blocks certain ports, but not a lot)
full class-c subnet (##.##.##.0 - ##.##.##.255) on the internet
2 win 2k3 domain controllers / dns / dhcp / (1 comp does terminal service) ~ internal and external ip addresses
1 win 2k member server / ras / vpn / ISA 6.0 ~ internal and external ip address
1 win nt 4.0 server / internal ip
Tons of login failures are occuring with ALL of the user accounts in the domain. We have a policy set up that after 5 bad login attepts, the account gets locked out. So basically when one of these attacks comes across the internet, all of our users (about 80) get locked out of their account and then i have to sit there and manually unlock them.
Don't know if this helps, but here's the event log from one of the server from one of the attacks.
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: ** username here **
Source Workstation: MALOEY
Error Code: 0xC000006A
Reason: Unknown user name or bad password
User Name: ** username here **
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: MALOEY
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 220.127.116.11
what i can get out of this is the computer and ip that is attacking us. but i don't know how they are getting the FULL LIST of user accounts (even accounts that were added last week).
i'm looking on a detailed description on what i can do to stop this, as in terms of what i need to do, and i would also like to know how the people are getting the FULL LIST of user accounts on the domain and then slamming them with requests.