|
Home > Archive > IIS Server Security > November 2005 > FTP Login flood
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Ralph Hulslander 2005-11-01, 6:08 pm |
| A Windows 2000 server is being subjected to a continuous stream of FTP login
attempts.
Essentially this was causeing a denial of service until I set the Event Log
to overwrite once full.
Is there any way to limit the login attempts? None of the attempts are
successful.
These attacks come from random IP's and are proceded by a initiating event
(attempted login) that is followed by a flood of attempts.
The machine is not using AD.
I am using a firewall but not one that monitors failed login attempts.
It is less of a bother now that the Event log is not getting full and
locking up the machine but it is detrimental to my legitimate users as all of
these login attempts do hog resources.
Thanks
--
Progress is just a faster road to the end.
| |
| Bernard Cheah [MVP] 2005-11-02, 2:48 am |
| Well, you can have login attempt for valid account. E.g. lockout, etc
No smart way to do this other than - going through the IIS log file, then
filter those IP address at firewall or router level.
--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/
"Ralph Hulslander" <RalphHulslander@discussions.microsoft.com> wrote in
message news:FD992A13-3472-4005-A9D0-77A18B38879A@microsoft.com...
>A Windows 2000 server is being subjected to a continuous stream of FTP
>login
> attempts.
> Essentially this was causeing a denial of service until I set the Event
> Log
> to overwrite once full.
> Is there any way to limit the login attempts? None of the attempts are
> successful.
> These attacks come from random IP's and are proceded by a initiating event
> (attempted login) that is followed by a flood of attempts.
>
> The machine is not using AD.
> I am using a firewall but not one that monitors failed login attempts.
> It is less of a bother now that the Event log is not getting full and
> locking up the machine but it is detrimental to my legitimate users as all
> of
> these login attempts do hog resources.
>
> Thanks
> --
> Progress is just a faster road to the end.
| |
| Ralph Hulslander 2005-11-02, 5:52 pm |
| Thanks Bernard for the reply, locking out the account after failed attempts
essentially has no effect. They are still attempting to login, I am looking
for something that performs like a firewall that after so many failed logins
sends all subsequent request from that IP into the bit bucket in th sky and
never replys to the sender. In other words even with a a locked out account
refusing logins these attempts are still acknowledged and this uses
resources.
This is really a pityfull attack method often times the same uername and
password is used so it appears that the intent is denial of service which
they did succeed in doing until I allowed the Event Log to overwrite, now I
just have a event log full of fail login attempts Event ID: 100 and a Daily
FTP IIS log that is full of failed attempts.
The attack appears to have some sophistication in that just befor the flood
of login attempts someone allways attempts a login using a similiar password
(@atHome)this is followed by the flood of login attepts from a different IP.
The the @atHome IP is usually from Europe the flood IP are from anywhere
around the world.
Thanks again for the reply, I cannot believe Iam the only one subjected to
these type of attacks.
RAlph
--
Progress is just a faster road to the end.
"Bernard Cheah [MVP]" wrote:
> Well, you can have login attempt for valid account. E.g. lockout, etc
> No smart way to do this other than - going through the IIS log file, then
> filter those IP address at firewall or router level.
>
> --
> Regards,
> Bernard Cheah
> http://www.iis-resources.com/
> http://www.iiswebcastseries.com/
> http://www.msmvps.com/bernard/
>
>
> "Ralph Hulslander" <RalphHulslander@discussions.microsoft.com> wrote in
> message news:FD992A13-3472-4005-A9D0-77A18B38879A@microsoft.com...
>
>
>
| |
| Bernard Cheah [MVP] 2005-11-14, 2:49 am |
| I believe some smart router or firewall will have this kind of feature. E.g.
ban IP address for a certain period of time, if it exist the threshold of
reconnecting within a specific period.
--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/
"Ralph Hulslander" <RalphHulslander@discussions.microsoft.com> wrote in
message news:18CBEF54-3AC0-445A-8B21-BEFAAE126525@microsoft.com...[vbcol=seagreen]
> Thanks Bernard for the reply, locking out the account after failed
> attempts
> essentially has no effect. They are still attempting to login, I am
> looking
> for something that performs like a firewall that after so many failed
> logins
> sends all subsequent request from that IP into the bit bucket in th sky
> and
> never replys to the sender. In other words even with a a locked out
> account
> refusing logins these attempts are still acknowledged and this uses
> resources.
> This is really a pityfull attack method often times the same uername and
> password is used so it appears that the intent is denial of service which
> they did succeed in doing until I allowed the Event Log to overwrite, now
> I
> just have a event log full of fail login attempts Event ID: 100 and a
> Daily
> FTP IIS log that is full of failed attempts.
> The attack appears to have some sophistication in that just befor the
> flood
> of login attempts someone allways attempts a login using a similiar
> password
> (@atHome)this is followed by the flood of login attepts from a different
> IP.
> The the @atHome IP is usually from Europe the flood IP are from anywhere
> around the world.
> Thanks again for the reply, I cannot believe Iam the only one subjected to
> these type of attacks.
> RAlph
> --
> Progress is just a faster road to the end.
>
>
> "Bernard Cheah [MVP]" wrote:
>
|
|
|
|
|