Dear security experts,
I have a client recently has a lot of admin and administrator password attacks, and each session last only about 20mins. I've looked into the eventlog and Microsoft network monitor, both of them provide me with IP address all over the world, but it look like systematic attack (orgainzed attack) which I don't think any of the address are the real attacker. They might just been routed to or taking over for this attack. Each session take roughly 20mins +/- 1min. It always changes over from admin query to administrator query after few admin query try. My question is, is there an good network trace tool that I can pin down who really is trying to attack the system? Please advise! I'll reward 500pts for the best answer!