none
Lsass.exe sending excessive data outside the local network

    Question

  • Just this morning i noticed a huge lag on my internet connection at my work network. After rebooting the modem with no help i investigated the server.

    lsass.exe was sending massive data outbound only. Upwards of 8Mb/second. To different ip address, one resolved back to france.protection-ddos.com.

    I have not had any server setting changes in months. I haven't even logged on to the server in months, it's been doing it's job as it should with no interference, until this.

    I updated my virus database and doing full scan now. To update my Virus database i tethered my phone to the server for an internet connection. The lsass data did not start on this connection, only the lan to cable modem connection. Scan is going to take hours so am letting my network off the internet for the night and hoping the scanner finds something upon my return in the morning.

    Obviously i can't kill lsass so i have isolated the network temporarily. I'm assuming I've been compromised somehow.

    I don't know why/how lsass is sending such large amount of data out of the network. Everything i googled is more talking about lsass.exe using alot of cpu, mine is not, only outgoing network. And yes it is LSASS.EXE same PID as the one doing the network authenticating.

    Any input would be appreciated.

    Stats:

    Windows Server 2012 Essentials, all work 5 stations are Windows 7.

    Tuesday, March 28, 2017 8:54 PM

All replies

  • first of all a server should not have internet connectivity, it should be restricted to reach out to only the required ports to outside... for example wsus content from microsoft.

    but still it is only recommended to have a wsus server than going directly out to the internet. What antivirus and malware solutions do you have on the server. Do you have support teams for the same ? 

    If you could explain more would be helpful.

    Tuesday, March 28, 2017 9:08 PM
  • Running Kaspersky Small Business Antivirus
    Wednesday, March 29, 2017 12:39 PM
  • Hi,
    Do you run the server and workstations in domain environment? If yes, please check if you have created AD trust with other domain, in some case, such scenario could happen similar issue.
    In addition, have you tried using network monitor or wireshark tool to capture something which might be helpful for troubleshooting.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, April 3, 2017 2:54 AM
    Moderator
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, April 7, 2017 9:11 AM
    Moderator
  • Aaron, do you solve this problem?

    I have the similar problem. I use Local Security Policy to restrict the IP which lsass.exe sent to. But when I restricted one IP, a different IP show up to keep lsass.exe very busy sending. It seems waste time to restrict the IPs.

    If you solve the problem, please kindly post your solution. Thanks.

    • Edited by alinct Saturday, August 19, 2017 2:58 AM
    Saturday, August 19, 2017 2:53 AM
  • Aaron,

    Did you solve your problem?

    We are having the same problem on our 2012R2 server and as we have a limited bandwith internet connection, it is using up all our bandwith and causing ping response times of 2000 msec.

    Can't seem to find anything about this issue online

    Tuesday, September 19, 2017 6:57 PM
  • I have encountered the same issue. LSASS is querying the parent domain and all branches. We have had problems keeping it limited to our branch. 
    • Edited by Tim.DOC Friday, September 29, 2017 6:39 PM
    Friday, September 29, 2017 6:38 PM
  • We have the same problem. Windows server 2016. Can anyone help?
    Tuesday, July 10, 2018 2:50 PM
  • Hi. I had the same problem on a Windows server 2012. Finally I could detect that it was a DDOS attack based on the vulnerability of CLDAP protocol, port 389 UDP open in the public interface.

    Closed in the firewall and problem solved. 

    More information here: https://www.akamai.com/us/en/about/our-thinking/threat-advisories/connection-less-lightweight-directory-access-protocol-reflection-ddos-threat-advisory.jsp

    • Proposed as answer by Fabrice Durieu Sunday, February 3, 2019 1:15 PM
    Friday, September 21, 2018 8:42 PM
  • Bonjour, j'ai le même soucis, et j'ai contenue le problème :

    Tu va dans le parefeu, dans connexion entrante, clic droit et propriété sur Contrôleur de domaine active directory LDAP ( UDP - In ) , dans général , tu clique sur Autoriser la connexion seulement si elle est autorisé, tu applique et tu fais ok, tu active le parefeu et tu va voir le flux réseau sortant baisser pratiquement comme à la normale.

    Wednesday, October 24, 2018 9:09 AM