08-14-2012 01:21 AM
Hello,
Two months ago we correctly set up a rule to block Brute Force attacks on our FTP server in DMZ.
The related information can be found here: https://live.paloaltonetworks.com/message/16977#16977
We tested it manually by just entering wrong passwords quickly for the FTP server and after 10 attempts we were blocked from our own FTP server.
The config seemed to be working.
Last week had a real brute force attack on our FTP server in DMZ.
A total of 302 attempts were made in 13 seconds before it was blocked.
According to the documentation I've read it should be blocked after 10 attempts.
I can't find out why it was only blocked after 302 attempts and after 13 seconds.
If anyone could tell me why this happens I would very much appriciate it.
Thanks in advance,
Hans.
08-20-2012 03:40 PM
This is why continous tcpdump is nice to have 🙂
First I would verify if the srcip is the same for all 302 attempts.
Second I would guess they was sent with 100 or so concurrent connections which I guess could end up with an situation where more attempts has passed through before the srcip was cut off totally.
I mean the attack was not (just guessing):
connect
login
connect
login
...
but rather
connect
connect
connect
...
login
login
login
....
Edit: As a sidenote most FTP servers have such "anti-hammering" as a setting like filezilla among others which I guess might deal with this better than the FW.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
