Educause Security Discussion mailing list archives

Re: Repeated authentication attempts from same IP not same ID

From: Walter Reynolds <waltr () UMICH EDU>
Date: Fri, 4 Aug 2017 08:10:54 -0400

Thanks for those that have replied but I see I should have been clearer as
I was hoping for.  We do have a SIEM product and can monitor for them but
adding either a rule on the ASA or a border ACL works, but as soon after we
do that the attempts move to a new IP so manual changes or not efficient.
With that in mind I was looking for solutions that were more automated.

As Brad from University of Colorado put it

"or, automatically block them depending on your tools/skills"


Trying to determine what tools others may be using whether commercial or
home grown.  William at Fairfield mentioned  AlienVault + Palo Alto
firewalls and it has been suggested here to use Remotely triggered black
hole filtering.  Can I get any feedback on either these or other solutions
you may be using.

Sorry for the lack of clarity and for any future responses.



------------------------
Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438

On Thu, Aug 3, 2017 at 3:12 PM, Walter Reynolds <waltr () umich edu> wrote:

I was wondering how, if at all, others are dealing with this type of
problem.

We are having an IP that is cycling through usernames trying to connect to
out VPN via remote access.  The attempts are enough that we noticed (while
most likely looking for something else) but are not enough that it is
actually having an impact on the VPN server or its performance.

These are Cisco ASA's and while I can limit the number of attempts for a
user, this cycling through valid accounts trying to catch one with the
correct password is not something it will catch.  Wondering one, if you are
seeing anything similar and two how you are dealing with it if at all.

Next the broader question of how you handle this brute force style attack
in general.

Thanks.

------------------------
Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438

Current thread:

Repeated authentication attempts from same IP not same ID Walter Reynolds (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Brad Judy (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID WALTER KERNER (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Garrett Hildebrand (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Wiltzius, Robert L (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Reyor, William F. (Aug 03)
  - Re: Repeated authentication attempts from same IP not same ID Ben Parker (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Walter Reynolds (Aug 04)