https://live.paloaltonetworks.com/t5/general-topics/ftp-brute-force-attack-blocked-only-after-13-seconds/m-p/23544#M17169 <HTML><HEAD></HEAD><BODY><P>This is why continous tcpdump is nice to have <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>First I would verify if the srcip is the same for all 302 attempts.</P><P></P><P>Second I would guess they was sent with 100 or so concurrent connections which I guess could end up with an situation where more attempts has passed through before the srcip was cut off totally.</P><P></P><P>I mean the attack was not (just guessing):</P><P></P><P>connect</P><P>login</P><P>connect</P><P>login</P><P>...</P><P></P><P>but rather</P><P></P><P>connect</P><P>connect</P><P>connect</P><P>...</P><P>login</P><P>login</P><P>login</P><P>....</P><P></P><P>Edit: As a sidenote most FTP servers have such "anti-hammering" as a setting like filezilla among others which I guess might deal with this better than the FW.</P></BODY></HTML> Mon, 20 Aug 2012 22:40:47 GMT mikand 2012-08-20T22:40:47Z https://live.paloaltonetworks.com/t5/general-topics/ftp-brute-force-attack-blocked-only-after-13-seconds/m-p/23543#M17168 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Two months ago we correctly set up a rule to block Brute Force attacks on our FTP server in DMZ.</P><P>The related information can be found here: <A _jive_internal="true" href="https://live.paloaltonetworks.com/message/16977#16977">https://live.paloaltonetworks.com/message/16977#16977</A></P><P></P><P>We tested it manually by just entering wrong passwords quickly for the FTP server and after 10 attempts we were blocked from our own FTP server.</P><P>The config seemed to be working.</P><P></P><P>Last week had a real brute force attack on our FTP server in DMZ.</P><P>A total of 302 attempts were made in 13 seconds before it was blocked.</P><P>According to the documentation I've read it should be blocked after 10 attempts.</P><P></P><P>I can't find out why it was only blocked after 302 attempts and after 13 seconds.</P><P>If anyone could tell me why this happens I would very much appriciate it.</P><P></P><P>Thanks in advance,</P><P></P><P>Hans.</P></BODY></HTML> Tue, 14 Aug 2012 08:21:46 GMT https://live.paloaltonetworks.com/t5/general-topics/ftp-brute-force-attack-blocked-only-after-13-seconds/m-p/23543#M17168 hnederstigt 2012-08-14T08:21:46Z https://live.paloaltonetworks.com/t5/general-topics/ftp-brute-force-attack-blocked-only-after-13-seconds/m-p/23544#M17169 <HTML><HEAD></HEAD><BODY><P>This is why continous tcpdump is nice to have <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>First I would verify if the srcip is the same for all 302 attempts.</P><P></P><P>Second I would guess they was sent with 100 or so concurrent connections which I guess could end up with an situation where more attempts has passed through before the srcip was cut off totally.</P><P></P><P>I mean the attack was not (just guessing):</P><P></P><P>connect</P><P>login</P><P>connect</P><P>login</P><P>...</P><P></P><P>but rather</P><P></P><P>connect</P><P>connect</P><P>connect</P><P>...</P><P>login</P><P>login</P><P>login</P><P>....</P><P></P><P>Edit: As a sidenote most FTP servers have such "anti-hammering" as a setting like filezilla among others which I guess might deal with this better than the FW.</P></BODY></HTML> Mon, 20 Aug 2012 22:40:47 GMT https://live.paloaltonetworks.com/t5/general-topics/ftp-brute-force-attack-blocked-only-after-13-seconds/m-p/23544#M17169 mikand 2012-08-20T22:40:47Z