Re: Repeated authentication attempts from same IP not same ID

[Garrett Hildebrand <gdh () UCI EDU>]

We take the VPN logs in Splunk and there is an alert that looks
for multiple login failures from the same IP. There is a certain
noise factor for off-campus apartments that provide wireless
coverage and NAT off one IP, but you get to know those. If it
looks like the activity you described is going on, we block the
IP at the border.

Garrett
-==-==-
G.D. Hildebrand              Senior IT Security Analyst
UC Irvine, OIT, 6137 Ayala Sci Lib., Irvine, 92697-1175
tel.: 949-824-8913                   email: gdh () uci edu
Created new page 15 December 2016
My URL is http://about.me/garretthildebrand
*Splunk - the Benihana of log-data slicing and dicing.*

Don't be a victim of phishing. Legitimate businesses don't ask you
to send sensitive information through insecure channels. Learn more:
http://er.educause.edu/blogs/2016/3/april-dont-get-hooked
Handle passwords wisely: http://www.bbc.com/news/technology-37510501


Today (Thu, 3 Aug 2017) at 15:12 -0400 Walter Reynolds wrote:

> I was wondering how, if at all, others are dealing with this type of
> problem.
>
> We are having an IP that is cycling through usernames trying to connect to
> out VPN via remote access.  The attempts are enough that we noticed (while
> most likely looking for something else) but are not enough that it is
> actually having an impact on the VPN server or its performance.
>
> These are Cisco ASA's and while I can limit the number of attempts for a
> user, this cycling through valid accounts trying to catch one with the
> correct password is not something it will catch.  Wondering one, if you are
> seeing anything similar and two how you are dealing with it if at all.
>
> Next the broader question of how you handle this brute force style attack
> in general.
>
> Thanks.
>
> ------------------------
> Walter Reynolds
> Principal Systems Security Development Engineer
> Information and Technology Services
> University of Michigan
> (734) 615-9438