Security Incidents mailing list archives
Re: DoS and Windows Login
From: "KoRe MeLtDoWn" <koremeltdown () hotmail com>
Date: Fri, 18 Oct 2002 06:50:29 +0000
It could be both - the attackers motive is his knowledge and I believe it's up to you to solve the problem. One method might be to make an application that emails an admin that is on campus at the ime when one of these "attacks" takes place and then have them respond immediately. I know this is a labour resouce consuming way of dealing with it, but I cant think of (maybe someone else can!) a more effective way to deal with these attacks. Perhaps it is just one person and catching them out would put a stop to your problems and make everyone happier.
Hamish Stanaway -= KoRe WoRkS =- Internet Security Owner/Operator http://www.koreworks.com/ New Zealand Is your box REALLY secure?
From: "Nicholas C. Weaver" <nweaver () CS Berkeley EDU> To: incidents () securityfocus com Subject: DoS and Windows Login Date: Thu, 17 Oct 2002 14:16:34 -0700 (PDT) MIME-Version: 1.0Received: from outgoing.securityfocus.com ([205.206.231.27]) by mc3-f39.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Thu, 17 Oct 2002 21:25:21 -0700 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing.securityfocus.com (Postfix) with QMQPid 49C34A3176; Thu, 17 Oct 2002 16:15:13 -0600 (MDT)Received: (qmail 26951 invoked from network); 17 Oct 2002 20:50:17 -0000 Mailing-List: contact incidents-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <incidents.list-id.securityfocus.com> List-Post: <mailto:incidents () securityfocus com> List-Help: <mailto:incidents-help () securityfocus com> List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com> List-Subscribe: <mailto:incidents-subscribe () securityfocus com> Delivered-To: mailing list incidents () securityfocus com Delivered-To: moderator for incidents () securityfocus com Message-Id: <200210172116.g9HLGYE06492 () ribbit CS Berkeley EDU> X-Mailer: ELM [version 2.5 PL2]Return-Path: incidents-return-4297-koremeltdown=hotmail.com () securityfocus com X-OriginalArrivalTime: 18 Oct 2002 04:25:22.0025 (UTC) FILETIME=[5F743590:01C2765E]UC Berkeley runs a fairly open network (*GASP*, no firewall). Lately, many users have been experiencing a minor but annoying DOS attack: The windows system's authentication procedures, after X failed password tries, locks out the account for 30 minutes. Someone or some group is doing large scale password guessing which is resulting in many users being unable to log in in the morning, until this timeout passes. Question: Have those in other universities or other generally open computing environments noticed a similar trend? Is this the work of an attacker trying to brute-force passwords or a deliberate DOS attempt? -- Nicholas C. Weaver nweaver () cs berkeley edu ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
_________________________________________________________________Surf the Web without missing calls! Get MSN Broadband. http://resourcecenter.msn.com/access/plans/freeactivation.asp
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- DoS and Windows Login Nicholas C. Weaver (Oct 17)
- Re: DoS and Windows Login Brad Arlt (Oct 17)
- <Possible follow-ups>
- RE: DoS and Windows Login Paul Carroll (Oct 17)
- Re: DoS and Windows Login KoRe MeLtDoWn (Oct 18)