Am I under attack for a brute force or dictionary attack on my Windows server?

Brute force attack or dictionary attack on Windows servers

Dictionary attack and Brute force attack are fairly easy to find out if your Windows servers are being hit with some sort of an attack.

Simply enable auditing of Logon Events in your Security Policy and look at the eventviewer and see what pops up. You will then know if your server are hit by brute force or dictionary.

Dictionary or Brute force in the eventviewer

Open your eventviewer and search for logon events named 4625 n Windows 7, Vista, 2008 , 2008 R2, 2012, 2012 R2 or 529 on Windows server 2003.

Open up these events and look at the username used, the network source address and see if they are legitimate login attempts or not.
You could use for instance WHOIS to find out where the attack came from or traceroute or nslookup.

How do you single out dictionary or Brute force attack?

If you’re under attack you’ll be seeing hundreds or thousands of failed logon attempts, sometimes from a single IP address or in a more serious scenario, from hundreds or even thousands IP addresses at once.

In some cases, such an attack is also just a way to hide the real purpose behind the attack which is to find out what security measures you have in place and to search for any vulnerabilities you may have in place that can be use to hack you later on. The attacker tries to “hide in the noise” so to speak.

If it’s a single IP address it’s fairly easy just to block the attacker in your external firewall completely or in the local Windows firewall (assuming you’re awake and have seen the attack ) but, if it’s hundreds or thousands at once it becomes more or less impossible if you can’t automate it.

This is where Syspeace comes into play.

Syspeace – The innovative tool for Brute force and Dictionary attacks

Syspeace automatically monitors, traces, blocks and reports failed logon events if they reach the criteria you’ve set up, for example “If an attacker fails to login 10 times during 30 minutes, I want the attackers IP address to be blocked completely on all ports for 2 hours” or even “If an IP address fails to login more than 10 times during 7 days, I want the attacker to be blocked ..”

If you’re under attack, the fastest and easiest way is to download the free trial of Syspeace, install it and simply start the Syspeace service and the attack will be blocked automatically within minutes.

At the moment, Syspeace supports Windows 2003, 2008, 2008 R2, 2012, 2012 R2 and all of the SBS versions, SQL Server, Exchange Server, Citrix and more.
Out of the box.
And there’s a fully functional, free 30 day trial on the website. We help you check for brute force attack and dictionary attack the easy way.

Syspeace saves time and money blocking brute force attempts. So far we’ve saved 4 292 968 US$

This is just a geeky, cost calculating experiment really. Nothing scientific or anything. Just a fun thought on how easy it is to calculate the ROI for the low cost of Syspeace licenses.

Yesterday evening we had a really interesting meeting with a future reseller so we thought we’d take a look at the actual numbers of blocked attacks.
Syspeace had blocked over +314 000 brute force attempts on Windows servers worldwide.

This morning I started thinking.

If each attack takes 15 minutes to manage manually with these steps
1. Find the IP address of the attacker in the event viewer, then block the attack (in the internal or external firewall)
2 Trace the origin (using traceroute, nslookup and whois) and log it somwhere
3. Decide if it’s worth following up and making ot a police matter

That would mean we’ve saved 314 000 * 15 minutes = 78 500 man hours of manual work around the world.

The US$ is about 6.8 Swedish Cronas today.

If each tech has a salary of 35 000 (approx. 5100 US$) per month (an average tekkie salary in Sweden)  the average hourly salary is 218 Swedish Krona (32 US$) .

For the employer , that number is about the salary time 1,7 (due to taxes and stuff ) so that would basically amount up to 371 Swedish Krona as a cost for the employer.

What we saved in manual labor with Syspeace would be 78 500 * 371 = 29 192 187 Swedish Cronas (or 4 292 968 US$) in actual cost savings bot most of all, we’ve made the life of the sysadmin easier and he can focus on other stuff than managing brute force attempts and let Syspeace do the work.

A lot of IT projects could do with an extra 78 500 man hours..

If you’re up for cutting costs and increasing security at the same time, have a look at the free trial download at the Syspeace website

A thought by Juha Jurvanen @ JufCorp