Brute force attack or dictionary attack on Windows servers
It’s relatively easy to determine if your Windows servers are hit with Dictionary or Brute force attacks.
Simply enable auditing of Logon Events in your Security Policy and look at the event viewer and see what pops up. You will then know if your server is hit by brute force or a dictionary attack.
Dictionary or Brute force in the event viewer
Open your event viewer and search for logon events named 4625 n Windows 7, Vista, 2008, 2008 R2, 2012, 2012 R2, or 529 on Windows server 2003.
Open up these events and look at the username used, and the network source address, and see if they are legitimate login attempts or not.
For example, you could use WHOIS to find out where the attack came from or traceroute or nslookup.
How do you single out a Dictionary or Brute force attack?
If you’re under attack you’ll see hundreds or thousands of failed login attempts, sometimes from a single IP address or in a more serious scenario, from hundreds or even thousands of IP addresses at once.
In some cases, such an attack is also just a way to hide the real purpose behind the attack which is to find out what security measures you have in place and to search for any vulnerabilities you may have in place that can be used to hack you later on. The attacker tries to “hide in the noise” so to speak.
If it’s a single IP address it’s fairly easy just to block the attacker in your external firewall completely or in the local Windows firewall (assuming you’re awake and have seen the attack ) but, if it’s hundreds or thousands at once it becomes more or less impossible if you can’t automate it.
This is where Syspeace comes into play.
Syspeace – The innovative tool for Brute force and Dictionary attacks
Syspeace automatically monitors, traces, blocks and reports failed logon events if they reach the criteria you’ve set up, for example, “If an attacker fails to log in 10 times during 30 minutes, I want the attackers IP address to be blocked completely on all ports for 2 hours” or even “If an IP address fails to log in more than 10 times during 7 days, I want the attacker to be blocked…”
If you’re under attack, the fastest and easiest way is to download the free trial of Syspeace, install it, and simply start the Syspeace service and the attack will be blocked automatically within minutes.
Syspeace supports updates:
At the moment, Syspeace supports Windows 2003, 2008, 2008 R2, 2012, 2012 R2, 2016, and all of the SBS versions, SQL Server, Exchange Server, Citrix, and more.
Out of the box.
And there’s a fully functional, free 30-day trial on the website. We help you check for Brute force and Dictionary attacks the easy way.