none
Schannel 36888 10/1203 Error - possible attack vector or sweep issue

    Question

  • windows Server 2008 R2 IIS

    This problem has the signs of a Denial of service attack. Two machines (hyper-v virtuals) here with Https are getting these errors, they are matched with Forward audits on 443 from my smoothwall firewall and the event log errors

    On at least one occasion the web server has HUNG (virtual) and required hammer reset.

    I have removed HTTPs bindings wherever possible and tightened the firewall

    the progenitor of the attack is 213.71.31.241

    10:49:05 External green TCP  213.71.31.241  4454  192.168.0.192  443(HTTPS)
    10:49:06 External green TCP  213.71.31.241  2485  192.168.0.203  443(HTTPS)
    11:15:53 External green TCP  213.71.31.241  1303  192.168.0.203  443(HTTPS)
    11:15:53 External green TCP  213.71.31.241  1310  192.168.0.176  443(HTTPS)
    11:15:53 External green TCP  213.71.31.241  1341  192.168.0.192  443(HTTPS)
    11:30:20 External green TCP  213.71.31.241  4124  192.168.0.203  443(HTTPS)

    each of these is matched with an eventlog Schannel 36888 10/1203  entry on the end server. here is 192.168.0.192.

    Log Name:      System
    Source:        Schannel
    Date:          17/08/2010 11:15:54 AM
    Event ID:      36888
    Task Category: None
    Level:         Error
    Keywords:     
    User:          SYSTEM
    Computer:      zzzzzzzzzzzzzzzzzzzzzzzzzzz
    Description:
    The following fatal alert was generated: 10. The internal error state is 1203.

    there is no log entry in the IIS log for the site....

    I am certain that as one of the machines HUNG at 11:30 ish yesterday and these errors are the last thing in the log before re-start that something is cooking on an exploit.

     since blocking that particular IP the errors have stopped although the firewall continues to log its visits


    Jimbo
    Jimbo
    Wednesday, August 18, 2010 9:47 PM

Answers