Re: Repeated authentication attempts from same IP not same ID

[WALTER KERNER <walter_kerner () FITNYC EDU>]

You may be able to contact the abuse address at the source ISP.  You should
also be able to disallow that IP address in the ASA config, so you don’t
have to worry about the bad guy stumbling on a valid account







Walter Kerner

Acting AVP and CISO

[image: blue]

333 7th Avenue, 13th Floor

New York, NY 10001

Voice: 212-217-3415



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Walter Reynolds
*Sent:* Thursday, August 03, 2017 3:13 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] Repeated authentication attempts from same IP not
same ID



I was wondering how, if at all, others are dealing with this type of
problem.



We are having an IP that is cycling through usernames trying to connect to
out VPN via remote access.  The attempts are enough that we noticed (while
most likely looking for something else) but are not enough that it is
actually having an impact on the VPN server or its performance.



These are Cisco ASA's and while I can limit the number of attempts for a
user, this cycling through valid accounts trying to catch one with the
correct password is not something it will catch.  Wondering one, if you are
seeing anything similar and two how you are dealing with it if at all.



Next the broader question of how you handle this brute force style attack
in general.



Thanks.



------------------------

Walter Reynolds

Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438