DOS / Brute Force Attack on an FTP Server

[CoXeY]

Hello all,

Just wanted to consult the network bods around here on an issue I’ve recently uncovered with one of our web servers.

It appears that someone is trying to attack the FTP service as the IIS log reveals thousands of hits an hour attempting to crack the Administrator account. To get an idea of the extent of the attack our daily IIS log for the server is around 40MB (not too huge but way above normal!).

The local admin account is not called administrator so I’m not too concerned about the brute for side of things, however I am concerned about the unnecessary load being placed on the server.

I tried using IPSec and IIS' IP filtering tools however the IP is different each day and is proving hard to stop. What would you guys do in a situation like this?

Dan.

 

[CoXeY]

are the attacks coming from the same IP each day (I know you've said the IP is different each day, I mean say you get 1000 attacks on monday are they all from the same IP?)

Yes.

What is the frequency? (simultaneous connections or successive)

As far as i can see they are successive.

What firewall are you using?

A Cisco PIX 515e

Is the attack coming from the same IP each time?

No it changes. If I block traffic by IP it takes a couple of days to re-appear under a different one.

Failing that is it possible to change the IP on the server?

Not really no. The server is used to host around 80 public facing web sites. FTP is used by our clients to upload data to their web directories. I suppose the ideal solution would be some kind of connection lockout feature that blocks an IP following a number of invalid connection attempts. I have configured account lockout policies within Windows but as the account in question does not exist then the attack continues without intervention.

Thanks for the input so far!

Dan.