Too much network activity in my web server

Jorge Maldonado
Jorge Maldonado used Ask the Experts™
on
Hello,

I have a cloud server where I am hosting a website. It is a Windows Server 2012 R2. Recently I noticed a message in my account control panel saying something like this:

"CRITICAL NETWORK - 384 kbit/s received       12.11 MBit/s transfered"

This is the first time I received a message like this. The server has been operating since 2015.
I am not a network administrator so I do not really know how to proceed. So, I will very much appreciate any support/help you can provide to find out what is going on.

I had watched the Network Activity in Task Manager and I am attaching a screenshot just as a reference. Maybe I need to go over log files but I a not sure which ones are the correct to review and how to proceed.

For example, I watched the System log and I see error entries like this:

"A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 1203."

I found the error below in the Administrative Events log:

"The RD Session Host server received large number of incomplete connections.  The system may be under attack."

Something I should say is that I use Remote Desktop to connect to my cloud server.

Task Manager Network Activity Screenshot
Respectfully,
Jorge Maldonado
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
are you regularly maintain updates n the system?

Point of a web server when you have a good/interesting time that it grows in popularity, resulting in higher traffic.

The item is a snapshot of data rate alert at a point in time
The proportion 384 kbs received to 12.1Mbs is a viable ration for a webserver.

Do you have web analytics where you crunch the iis/web access logs to reflect origin of requests, which sites/pages are accessed and amount of total transfer out?

You can also get the number of unique visitors, requests per second.

Based on the posted image, your system is not running into performance issues. At current use, it seems you over estimated demand based on the system current run.

The tls error is just that in a single connection a situation arose that led to the termination of the connection. The reference to schannel points to a protocol related error.
Distinguished Expert 2018

Commented:
"The RD Session Host server received large number of incomplete connections.  The system may be under attack."
What options do you have to access the server other than Remote Desktop?

Has there been consideration to putting in a Web Application Firewall? In doing this, this should basically stop a lot of attacks BEFORE they get to your server. There are a number of options such as Barracuda and Imperva. Knowing that you're not a network person, is there a network/systems person that you can work with? Even a consultant?

Author

Commented:
Thanks masnrock

What options do you have to access the server other than Remote Desktop?

Currently this is the only installed option but surely I can do it by other means like Teamviewer for example.
Is this the focus of your question?

Thanks.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Distinguished Expert 2018
Commented:
Currently this is the only installed option but surely I can do it by other means like Teamviewer for example.
Is this the focus of your question?
Yes. Or maybe there is a way that your cloud provider provides?

Author

Commented:
Or maybe there is a way that your cloud provider provides?

My provider has a way to run a "KVM Console" from within my dashboard.
I just disabled Remote Desktop connections (and removed port 3389 from firewall and server) to monitor the behavior and will be accessing my server using "KVM Console".

Thanks.
Distinguished Expert 2018

Commented:
I just disabled Remote Desktop connections (and removed port 3389 from firewall and server) to monitor the behavior and will be accessing my server using "KVM Console".
This should get rid of the issue of the large number of incomplete connections being made to Remote Desktop. Malactors will keep trying, but they should now be getting blocked at the firewall, and not taking up any computing resources on the server itself.

BTW - I also hope that you've been keeping the system properly patched.

Author

Commented:
Yes, I installed latest updates yesterday.

Thanks.
Distinguished Expert 2017

Commented:
Is that when you got the notification (during the update downloads)?
Distinguished Expert 2018

Commented:
As far as the original message, it could be parties trying to compromise your server. I would recommend giving it a very thorough review, and check any logs that you may have available. If RDP had been exposed for that long, you never know what may or may not have occurred until you seriously look into it. Do you have access to a security or network consultant or coworker?

Author

Commented:
Is that when you got the notification (during the update downloads)?

No. This issue was already taking place before applying updates.
I just checked the numbers regarding network traffic and there has been a significant decrease just after disabling RDS and port 3389.

From:     384 kbit/s received           12.11 Mbit/s transfered
To     :       48 kbit/s received              1.10 Mbit/s transfered

I will continue monitoring.

Regards.

Author

Commented:
Do you have access to a security or network consultant or coworker?

Unfortunately, there is no one with enough knowledge on networking as part of our small company, but I know an external consultant that may give us a hand.

Thank you.
Distinguished Expert 2017

Commented:
Much depends on what you want. You could enable access to RDP when you need it, and disable when done on the firewall side.

Author

Commented:
The server has been running fine. Numbers have significantly decreased after disabling RDS and deleting port 3389 from firewall as follows:

From      384 kbits/s received     12.11 Mbit/s transfered
To             40 kbits/s received     160 kbit/s transfered

This is clearly a symptom that someone has tried to compromise the server.
I really appreciate the comments of all of you.
My next step is to go over log files to make sure the server is in good shape (or maybe to provision a new cloud server and migrate).

Best regards,
Jorge Maldonado
Distinguished Expert 2017

Commented:
What is the low rate indicate?
What function does your system have?
the snapshot in time is
without knowing what it is your system does the last comment reflects low traffic but much depends on the duration over which this information is being collected.

If the info you see now works for you that is great.

Author

Commented:
I appreciate the interest of all of you.

Regards.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial