This problem has the signs of a Denial of service attack. Two machines (hyper-v virtuals) here with Https are getting these errors, they are matched with Forward audits on 443 from my smoothwall firewall and the event log errors
On at least one occasion the web server has HUNG (virtual) and required hammer reset.
I have removed HTTPs bindings wherever possible and tightened the firewall
the progenitor of the attack is 184.108.40.206
10:49:05 External green TCP 220.127.116.11 4454 192.168.0.192 443(HTTPS)
10:49:06 External green TCP 18.104.22.168 2485 192.168.0.203 443(HTTPS)
11:15:53 External green TCP 22.214.171.124 1303 192.168.0.203 443(HTTPS)
11:15:53 External green TCP 126.96.36.199 1310 192.168.0.176 443(HTTPS)
11:15:53 External green TCP 188.8.131.52 1341 192.168.0.192 443(HTTPS)
11:30:20 External green TCP 184.108.40.206 4124 192.168.0.203 443(HTTPS)
each of these is matched with an eventlog Schannel 36888 10/1203 entry on the end server. here is 192.168.0.192.
Log Name: System
Date: 17/08/2010 11:15:54 AM
Event ID: 36888
Task Category: None
The following fatal alert was generated: 10. The internal error state is 1203.
there is no log entry in the IIS log for the site....
I am certain that as one of the machines HUNG at 11:30 ish yesterday and these errors are the last thing in the log before re-start that something is cooking on an exploit.
since blocking that particular IP the errors have stopped although the firewall continues to log its visits
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.