Educause Security Discussion mailing list archives

Re: Repeated authentication attempts from same IP not same ID

From: Brad Judy <brad.judy () CU EDU>
Date: Thu, 3 Aug 2017 19:18:19 +0000

SIEM products are good for alerting on such things, however, they are often confused by the use of NAT IPs where 
students might congregate (off-campus housing, coffee shops, etc.). Additionally, SIEMs can get confused by log sources 
that don’t properly track true client IP addresses.

If you are able to tune the alerts to address these issues, they can be handy to detect such attacks and allow you to 
block the offender (or, automatically block them depending on your tools/skills).

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[u-logo_fl]



From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Walter Reynolds <waltr () UMICH EDU>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Thursday, August 3, 2017 at 1:12 PM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Repeated authentication attempts from same IP not same ID

I was wondering how, if at all, others are dealing with this type of problem.

We are having an IP that is cycling through usernames trying to connect to out VPN via remote access.  The attempts are 
enough that we noticed (while most likely looking for something else) but are not enough that it is actually having an 
impact on the VPN server or its performance.

These are Cisco ASA's and while I can limit the number of attempts for a user, this cycling through valid accounts 
trying to catch one with the correct password is not something it will catch.  Wondering one, if you are seeing 
anything similar and two how you are dealing with it if at all.

Next the broader question of how you handle this brute force style attack in general.

Thanks.

------------------------
Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438

Current thread:

Repeated authentication attempts from same IP not same ID Walter Reynolds (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Brad Judy (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID WALTER KERNER (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Garrett Hildebrand (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Wiltzius, Robert L (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Reyor, William F. (Aug 03)
  - Re: Repeated authentication attempts from same IP not same ID Ben Parker (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Walter Reynolds (Aug 04)