Windows Server 2008 Flood attack help.

Posted on 2011-05-11
Last Modified: 2014-12-10
I need help with the following please.
About once a week our server shuts down due to what I assume is flood login attempts. We get somewhere around 2000 or so attempts a day. The end result is after 5 days or so no one is able to login into this machine at all. Is there anything in windows firewall that can be enabled to deny this attack after one or two attempts. We have a firewall that could block this by ip restriction but there are many users from around the county and getting ip ranges will be difficult.
any suggestions welcome.

An account failed to log on.

      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            ADMIN
      Account Domain:            

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc0000064

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      \\
      Source Network Address:
      Source Port:            54316

Detailed Authentication Information:
      Logon Process:            NtLmSsp
      Authentication Package:      NTLM
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. event log
Question by:exchapmjw
    LVL 22

    Expert Comment

    by:Brian B (TBone2K)
    If the originating IP changes, it could be difficult to block that way.

    You say you have users around the country? (Actually I assume, you said county). I would suggesting looking up the originating country of some of the attacking IPs using an online service like If the attacks are originating from a country you will never do business with, block the entire IP range of that country from your firewall.

    If the IPs are from your country, assuming North America, you can get in touch with their ISP and find out what is going on.

    The other question ask ask is why you have to offer the ability to reach your domain over the internet. In most cases, this should never be required.

    Author Comment

    Country is correct, and the isp could be a hotel, coffee shop, or work place. They are actually only accessing a sql server and web server. They don't need access to anything else.
    LVL 22

    Assisted Solution

    by:Brian B (TBone2K)
    In the case of a hotel or coffee shop, they are not the ISP. A work place on the other hand, would be interested to know if hacking attacks were originating from the IP, as would a university or institution. Not only that, they would probably have more information on the source. That's assuming it all comes from the same point of origin, of course.

    Again, depending on what application you are exposing, there may be more secure ways to make it work. That would eliminate the problem altogether.

    I'm not sure a firewall can help you in the way you ask. Unless the firewall is doing the authentication, it would have no way of recognizing the failures. As for window firewall, if the problem hits the windows firewall, its already too late since the attack has reached your server.

    If this service is open for you employees to access it, perhaps you should consider putting it back behind the firewall and then setting up VPN or some other method of secure access.
    LVL 15

    Accepted Solution

    Why don't you just change the account lockout time and attempts through Group Policy?

    You can change it to only allow 3 attempts and then lock the account out until you unlock it. This will help you narrow down the account that is causing the issues. Have you been able to figure out what account they are trying to log in with that is causing the issues?

    The only way that you could fix this would probably be to deploy a VPN client across all your client computers and then only allow logins on the ports you are using from the LAN and the VPN. It could be setup pretty easy on a SonicWall but I don't know what you use.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
    To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
    This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
    This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now