RDP Brute-force attacks that don't actually attempt a logon.
1,474 views
Skip to first unread message
Yinette
Feb 7, 2012, 10:52:42 PM2/7/12
to SANS Internet Storm Center / DShield
Hi Everyone,
I was wondering if I could get some help regarding a type of Remote
Desktop attack that's quite common on my network, and if others are
seeing something similar.
We have scripts in place that will ban an IP for x amount if it
attempts y logins over z seconds, and those are working well to stop
the common dictionary attacks.
What I am however confused about is another type of attack, that
appears to be much larger than the common aforementioned attack.
I have observed that an IP will open a RDP session with a large number
of machines on the network at once, and not attempt any logins (the
type that will trigger an audit failure in the Event Log). eventually
TermDD will sometimes close the connection because of a generic "error
in stream" or the attacking machine gets bored and moves on. There is
no pattern in the frequency of these attacks.
It does however cause a blip in our monitoring system, as it looks
like these attacks are using a lot of bandwidth (Or alternatively it
overloads the Terminal Services Server, I don't know which.) and
causing the monitoring system's legit connection attempts to slow down
or fail completely (sometimes causing an alarm, and waking up the on-
duty admin).
Because these don't attempt any credential logins that will trigger
the script to ban the offending IP, our machines are unable to
automatically stop the attempts.
We can obtain the offending IP address and block it from the core, but
it's time consuming and another IP will just come along and repeat the
vicious cycle anyway.
I'm more or less asking if there's something that can be done either
on the machine itself, or somewhere else to limit/stop these attacks
as they interfere with our monitoring system (and sometimes us when we
are working on things). Doing rate limiting on our core is not
trivial, and is best avoided if possible.
Unfortunately going through a VPN or changing the RDP port is not an
option with some of our customers.
Also any insight into what is actually being attempted by these
machines would be helpful and quite interesting for me. I've been
unable to find any clue to what's happening on a packet level with
Network Monitor's parsers.
I appreciate any help greatly :)
Cheers.
I was wondering if I could get some help regarding a type of Remote
Desktop attack that's quite common on my network, and if others are
seeing something similar.
We have scripts in place that will ban an IP for x amount if it
attempts y logins over z seconds, and those are working well to stop
the common dictionary attacks.
What I am however confused about is another type of attack, that
appears to be much larger than the common aforementioned attack.
I have observed that an IP will open a RDP session with a large number
of machines on the network at once, and not attempt any logins (the
type that will trigger an audit failure in the Event Log). eventually
TermDD will sometimes close the connection because of a generic "error
in stream" or the attacking machine gets bored and moves on. There is
no pattern in the frequency of these attacks.
It does however cause a blip in our monitoring system, as it looks
like these attacks are using a lot of bandwidth (Or alternatively it
overloads the Terminal Services Server, I don't know which.) and
causing the monitoring system's legit connection attempts to slow down
or fail completely (sometimes causing an alarm, and waking up the on-
duty admin).
Because these don't attempt any credential logins that will trigger
the script to ban the offending IP, our machines are unable to
automatically stop the attempts.
We can obtain the offending IP address and block it from the core, but
it's time consuming and another IP will just come along and repeat the
vicious cycle anyway.
I'm more or less asking if there's something that can be done either
on the machine itself, or somewhere else to limit/stop these attacks
as they interfere with our monitoring system (and sometimes us when we
are working on things). Doing rate limiting on our core is not
trivial, and is best avoided if possible.
Unfortunately going through a VPN or changing the RDP port is not an
option with some of our customers.
Also any insight into what is actually being attempted by these
machines would be helpful and quite interesting for me. I've been
unable to find any clue to what's happening on a packet level with
Network Monitor's parsers.
I appreciate any help greatly :)
Cheers.
Madan Mohan Reddy S
Feb 8, 2012, 4:34:42 AM2/8/12
to SANS Internet Storm Center / DShield
Hi all,
we have also observed this type of attack, it takes lot of bandwidth
and firewall connections. some time our firewall was unable to drop
the packets also.. we managed to stop this attack by putting ACL like
deny RDP from any source and allow only some ips which are required to
access.. and for some clients we have changed default RDP port Number.
as per our observation this attack is DDOS/Reflective DDOS.
That's all
Regards,
Madan
we have also observed this type of attack, it takes lot of bandwidth
and firewall connections. some time our firewall was unable to drop
the packets also.. we managed to stop this attack by putting ACL like
deny RDP from any source and allow only some ips which are required to
access.. and for some clients we have changed default RDP port Number.
as per our observation this attack is DDOS/Reflective DDOS.
That's all
Regards,
Madan
>--
>Need IPv6 Training? See
>http://www.ipv6securitytraining.com . IPv6 Security Training
>
>To unsubscribe from this group, send email to
>iscdshield+...@googlegroups.com
>For more options, visit this group at
>
>http://groups.google.com/group/iscdshield?hl=en
>
>Email secured by Anti Spam at CtrlS
>
>
Email secured by Anti Spam at CtrlS
Email secured by Anti Spam at CtrlS
JUffe
Jul 20, 2012, 8:50:02 AM7/20/12
to iscds...@googlegroups.com
You could also have a look at Syspeace for brute force prevention actually http://www.syspeace.com
Rukmani Bhagat
Mar 1, 2013, 11:40:19 PM3/1/13
to iscds...@googlegroups.com
Hi everyone,
can someone help me show to implement remote login with group force attack
please let me know as soon as possible......
Regardas
Rukmani Bhagat
Reply all
Reply to author
Forward
0 new messages