Schannel 36888 10/1203 Error - possible attack vector or sweep issue


  • windows Server 2008 R2 IIS

    This problem has the signs of a Denial of service attack. Two machines (hyper-v virtuals) here with Https are getting these errors, they are matched with Forward audits on 443 from my smoothwall firewall and the event log errors

    On at least one occasion the web server has HUNG (virtual) and required hammer reset.

    I have removed HTTPs bindings wherever possible and tightened the firewall

    the progenitor of the attack is

    10:49:05 External green TCP  4454  443(HTTPS)
    10:49:06 External green TCP  2485  443(HTTPS)
    11:15:53 External green TCP  1303  443(HTTPS)
    11:15:53 External green TCP  1310  443(HTTPS)
    11:15:53 External green TCP  1341  443(HTTPS)
    11:30:20 External green TCP  4124  443(HTTPS)

    each of these is matched with an eventlog Schannel 36888 10/1203  entry on the end server. here is

    Log Name:      System
    Source:        Schannel
    Date:          17/08/2010 11:15:54 AM
    Event ID:      36888
    Task Category: None
    Level:         Error
    User:          SYSTEM
    Computer:      zzzzzzzzzzzzzzzzzzzzzzzzzzz
    The following fatal alert was generated: 10. The internal error state is 1203.

    there is no log entry in the IIS log for the site....

    I am certain that as one of the machines HUNG at 11:30 ish yesterday and these errors are the last thing in the log before re-start that something is cooking on an exploit.

     since blocking that particular IP the errors have stopped although the firewall continues to log its visits

    Wednesday, August 18, 2010 9:47 PM