Hi Alan,
How would you define intensive? I've not seen any way to do query-based
user-specific rate-limiting in AD. The closest thing is the LDAP query
policy, but that is probably not what you were looking for (Q315071).
Object quotas are new as of .NET AD, but only apply to limiting the number
of objects created, not queried.
We've encountered this issue quite frequently as well. A lot of vendors
tend to prefer sucking out data from AD and storing it locally in a DB as
opposed to doing real-time queries. And even though there are a few
different ways to track changes in AD
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/
overview_of_change_tracking_techniques.asp), each method has issues and most
find it easier to just do periodic dumps.
Another issue on this front is simply identifying when clients are
performing these intensive queries. We do real-time monitoring on the LDAP
and DS counters in the NTDS perfmon object and alert when they reach certain
thresholds (I can provide the thresholds if people are interested). In some
cases we've had to resort to running netmon for extended periods of time to
track down the offender. What I'd really like to see is a log of all LDAP
queries and parameters, client IP, query duration, and number of entries
returned. Most other directory servers have this capability and it is
extremely helpful especially post-incident. The LDAP Interface Events
diagnostics logging (Q220940) provides some of this data, but not all. Here
is an example event:
Event Type: Information
Event Source: NTDS LDAP
Event Category: LDAP Interface
Event ID: 1139
Date: 12/8/2002
Time: 6:29:38 AM
User: AD-VM\administrator
Computer: AD-01
Description:
Internal event: Function ldap_search completed with an elapsed time of 20
ms.
And of course you can always deny certain clients from querying AD by
setting the IP Deny List (via ntdsutil), but I doubt that is what you had in
mind.
Robbie Allen
-Original Message-
From: Isham, Alan A [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 06, 2002 4:00 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] CSVDE/ADSI queries causing mini denial
of service attacks
Background: In recent months, we have discovered (reactively) a number
of customers who are content dumping the entire Workers OU (70,000+
objects) at pretty frequent intervals, which is causing mini denial of
service attacks on our domain controllers in small pipe locations.
Has anyone limited access to their production Windows 2000 Active
Directory forests to prevent users from running intensive CSVDE/ADSI
queries against their domain controllers? If so, how? Through
technology? Through policy? Both?
--
Alan A. Isham, IT Product Manager
Messaging and Active Directory Engineering
Intel Corporation
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir% 40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
