TCP Dup ACK on port 3389

Yann Shukor
Yann Shukor used Ask the Experts™
on
Hi

On a Windows SBS 2008 R2 I am running Wireshark to understand what might be causing slow network file transfers with the server.

I have consequently noticed numerous TCP Dup ACK lines and some coming from outside the network e.g. Kuwait, Gabon, Deutschland, ...

What is curious is that these TCP Dup ACK packets are all aimed at port 3389 (Terminal Server). Therefore I can assume that someone(s) is trying to get 'in'.

Is there such a thing as a Dup ACK ddos attack?

Not sure what to do to discourage these attempts

If I had a Mikrotik router at this client's site I could add these entries into an Address list, drop further attempts, and forget about them.

Can I do anything similar under W2K8 SBS R2 ?

thanks
yann
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
ICT Infranstructure Manager
Commented:
Had similar problem - your RDP  is being brute forced:)

several options here

1 disable 3389
2 use rdp though https gateway (rdweb)
3 Or like me get yourself that http://rdpguard.com/  (use ip block - it will block access after set amount of wrong password)
( just to clarify - i am not employee of this company :-))
Commented:
Or, if you only RDP from a known list of IPs, add those as a rule in Windows Firewall.

I always considered whitelisting safer than blacklisting...

HTH,
Dan

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial