• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 194
  • Last Modified:

Windows Server 2008 Flood attack help.

I need help with the following please.
About once a week our server shuts down due to what I assume is flood login attempts. We get somewhere around 2000 or so attempts a day. The end result is after 5 days or so no one is able to login into this machine at all. Is there anything in windows firewall that can be enabled to deny this attack after one or two attempts. We have a firewall that could block this by ip restriction but there are many users from around the county and getting ip ranges will be difficult.
any suggestions welcome.

An account failed to log on.

      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            ADMIN
      Account Domain:            

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc0000064

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      \\
      Source Network Address:
      Source Port:            54316

Detailed Authentication Information:
      Logon Process:            NtLmSsp
      Authentication Package:      NTLM
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. event log
  • 2
2 Solutions
Brian BIndependant Technology ProfessionalCommented:
If the originating IP changes, it could be difficult to block that way.

You say you have users around the country? (Actually I assume, you said county). I would suggesting looking up the originating country of some of the attacking IPs using an online service like network-tools.com. If the attacks are originating from a country you will never do business with, block the entire IP range of that country from your firewall.

If the IPs are from your country, assuming North America, you can get in touch with their ISP and find out what is going on.

The other question ask ask is why you have to offer the ability to reach your domain over the internet. In most cases, this should never be required.
exchapmjwAuthor Commented:
Country is correct, and the isp could be a hotel, coffee shop, or work place. They are actually only accessing a sql server and web server. They don't need access to anything else.
Brian BIndependant Technology ProfessionalCommented:
In the case of a hotel or coffee shop, they are not the ISP. A work place on the other hand, would be interested to know if hacking attacks were originating from the IP, as would a university or institution. Not only that, they would probably have more information on the source. That's assuming it all comes from the same point of origin, of course.

Again, depending on what application you are exposing, there may be more secure ways to make it work. That would eliminate the problem altogether.

I'm not sure a firewall can help you in the way you ask. Unless the firewall is doing the authentication, it would have no way of recognizing the failures. As for window firewall, if the problem hits the windows firewall, its already too late since the attack has reached your server.

If this service is open for you employees to access it, perhaps you should consider putting it back behind the firewall and then setting up VPN or some other method of secure access.
Skyler KincaidNetwork/Systems EngineerCommented:
Why don't you just change the account lockout time and attempts through Group Policy?

You can change it to only allow 3 attempts and then lock the account out until you unlock it. This will help you narrow down the account that is causing the issues. Have you been able to figure out what account they are trying to log in with that is causing the issues?

The only way that you could fix this would probably be to deploy a VPN client across all your client computers and then only allow logins on the ports you are using from the LAN and the VPN. It could be setup pretty easy on a SonicWall but I don't know what you use.

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now