Tuesday, August 14, 2007

Firewall log: LDAP.Request.DoS

We keep seeing this in our firewall logs. The packets are going from our DMZ server to our primary domain controller. What I'm not sure is if this is an active attack, or, is there something mis-configured on the DMZ server that triggers a false positive?
From: FortiLog-100A(
Trigger Name: Attack Log Warning
Log type: attack log
Alert Severity: High
Triggered Threshold: More than 1 event occured in the last 0.5 hour.
Source Device: Local FortiAnalyzer[Hostname:FortiLog-100A IP:]
Last Raw Message:
itime=1187120433 date=2007-08-14 time=15:42:40 devname=Fortigate-200A device_id=FG200A2105401280 log_id=0419070000 type=ips subtype=signature pri=alert vd=root serial=1945370 attack_id=14770 severity=critical src= dst= src_port=55845 dst_port=389 src_int=dmz1 dst_int=internal status=detected proto=6 service=389/tcp user=N/A group=N/A ref="http://www.fortinet.com/ids/ID14770" msg="operating_system: MS.Windows.Active.Directory.LDAP.Request.DoS

We get quite a few of these. Because of the frequency, I seem to think that they are malicious in nature. The knowledge base says the attack is against a Windows 2000 vulnerability. Our servers are Windows 2003. If anyone has seen this and has any insight, I would love to hear from you.

No comments:

Post a Comment