I wonder if you hit one of the threshholds.... I.E. More than 20 queries running or pool threads ran out or something along those lines. That is an area I always wanted to dig into and test well and never had a chance.
joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen (rallen) Sent: Thursday, December 11, 2003 6:48 PM To: [EMAIL PROTECTED] Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC Neither that I recall. CPU was around 30-40%. In my experience it is not uncommon to see occasional LDAP errors when the CPU reaches that level on DCs (at least with W2K). Robbie Allen > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gil > Kirkpatrick > Sent: Thursday, December 11, 2003 6:37 PM > To: '[EMAIL PROTECTED]' > Subject: RE: AD as a possible target of attack? RE: > [ActiveDir] Virus soft wareon DC > > I usually have to run about 10 authentication threads on each of 5 > machines to get the CPU over 50% on my 1GHz P3 server. Of course the DIT is > essentially empty. I suppose that having them issue some complex query > over a large DIT would alter that picture substantially. > > That's interesting that clients were getting intermittent errors even > though the CPU wasn't pegged. Was the disk or network saturated? > > -g > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen > (rallen) > Sent: Thursday, December 11, 2003 4:00 PM > To: [EMAIL PROTECTED] > Subject: RE: AD as a possible target of attack? RE: > [ActiveDir] Virus soft > wareon DC > > > I don't think it would take all that many clients if they used a > threaded app that spawned a bunch of simultaneous sessions to > different DCs. Heck, I've seen a single client cause the number of > queries per second on a DC to go from 80 to ~1000 for a 30 minute > span. Now this didn't cause the CPU to spike greatly, but it did > cause other clients using that DC to get intermittent AD/LDAP errors. > > As far as denying IPs, that was available in W2K, but it was removed > (at least from ntdsutil) in W2K3. I was told that it wouldn't be > supported anymore in W2K3 (I haven't tested to see if it works still). > That would be > unfortunate if it isn't supported. > > Robbie Allen > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Gil > > Kirkpatrick > > Sent: Thursday, December 11, 2003 5:38 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: AD as a possible target of attack? RE: > > [ActiveDir] Virus soft wareon DC > > > > The problem with the built-in security model is that in most > > environments its easy to get around it by using one of the various > > LocalSystem escalations on the DC. All of a sudden the ACLs are > > meaningless, and AD will happily replicate the corrupted data for > > you. > > > > Its hard to do a system wide denial-of-service by flooding the DCs > > with queries (I assume this is what you were talking about) because > > of the number of clients you would have to bring to bear. It takes a > > lot of clients to generate enough traffic to kill a DC, and a lot > > more to kill all the DCs in the system. And if the clients are > > connected to the DCs via > slower WAN > > links, its probably impossible. > > > > You can disable anonymous queries (already done by default in W2K3), > > and you can configure IP addresses to deny connections from, but I > > don't know of a way to limit the number of LDAP queries per second. > > Sounds > like a cool > > feature. > > > > -gil > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Roger > > Seielstad > > Sent: Thursday, December 11, 2003 2:36 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: AD as a possible target of attack? RE: > > [ActiveDir] Virus soft > > wareon DC > > > > > > I'm not as worried about malicious, entry changing attacks due to > > the built in security model. Its cake and pie to do a denial of > > service attack against an LDAP system. Add to that a simple DNS > > query to find all the DC's, and the whole domain drops like a lead > > filled balloon. > > > > Is there a way to limit the number of LDAP queries per second on a > > DC, at least from a specific source address? > > > > Roger > > -------------------------------------------------------------- > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator > > Inovis Inc. > > > > > > > -----Original Message----- > > > From: GRILLENMEIER,GUIDO (HP-Germany,ex1) > > > [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, December 11, 2003 4:14 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: AD as a possible target of attack? RE: > > > [ActiveDir] Virus soft wareon DC > > > > > > > > > I don't even think you have to restrict the AD-related > virus issue > > > to the file-system. > > > > > > Something that your AV tools won't help you with is a > "virus", that > > > simply runs malicious LDAP queries - i.e. changing all kinds of > > attributes on > > > objects in AD or even delete a whole lot of objects at once... > > > Obviously this virus would only be harmful for users with > > > appropriate permissions on the AD objects. > > > > > > Again, AD will ensure that these malicious changes are > replicated to > > > all DCs and you could end up with quite a disaster which is > > > certainly not very easy to recover of. > > > > > > /Guido > > > > > > -----Original Message----- > > > From: Tony Murray [mailto:[EMAIL PROTECTED] > > > Sent: Donnerstag, 11. Dezember 2003 14:55 > > > To: [EMAIL PROTECTED] > > > Subject: Re: AD as a possible target of attack? RE: > > [ActiveDir] Virus > > > softwareon DC > > > > > > > DO scan your DCs and reconsider excluding things like the Sysvol > > > > > > I fully agree with you here, John. I have seen for > myself how good > > > FRS is at distributing viruses throughout the infrastructure in > > > short period of time!! Some of the major AV vendors previously > > > had products that caused problems when scanning SYSVOL, but the > > > recent offerings have resolved this. > > > Bottom line: there is no good reason not to include SYSVOL (as > > > long as you've checked with your AV vendor first). > > > > > > Tony > > > > > > ---------- Original Message ---------------------------------- > > > Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU > > > Reply-To: [EMAIL PROTECTED] > > > Date: Wed, 10 Dec 2003 23:18:52 +0100 > > > > > > I totally agree with all the guys out there that urge you > > to scan your > > > DCs!!! I've been thinking about this issue for some time > > and I've come > > > to the conclusion that Active Directory would be THE IDEAL target > > > for a virus attack. The robustness of AD replication makes it the > > > ideal distribution mechanism for virusses. Hey ... distributing > > > virusses by mail is ancient technology ;-). Why not use the > > > intense integration of Exchange 2000+ and AD to transport a virus > > > from Exchange to AD? > > > > > > No guys... I'm very serious! DO scan your DCs and > > reconsider excluding > > > things like the Sysvol because this is another possible > > target for the > > > sick minds out there that like to screw up enterprise > environments! > > > It's only a matter of time before the first AD virus is a fact of > > > life we have to deal with! > > > > > > So go out and check (before you go to bed) whether or not > dat-file > > > updates are really succeeding ;-). > > > > > > Cheers! > > > John > > > > > > > > > -----Original Message----- > > > Wrom: WLSZLKBRNVW > > > To: [EMAIL PROTECTED] > > > Sent: 10-12-2003 18:07 > > > Subject: RE: [ActiveDir] Virus software on DC > > > > > > Sorry, I have to throw-in my two cents. I exclude the > sysvol/sysvol > > > folder and sub-folders, but run the real-time scanner on > everything > > > else. These two folders deal with replication and are too > > volatile to > > > play with. > > > > > > S > > > > > > ***************************************** > > > Steve Shaff > > > Active Directory / Exchange Administrator Corillian Corporation > > > (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 > > > > > > > > > -----Original Message----- > > > Wrom: WCUFPEGAUTFJMVRESKPNKMBIPBARHDMNNS > > > [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, > > > Jeremy [contractor] > > > Sent: Wednesday, December 10, 2003 8:52 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Virus software on DC > > > > > > Same here, never had any problems either. > > > > > > Jeremy > > > > > > -----Original Message----- > > > Wrom: KVFVWRKJVZCMHVIBGDADRZFSQHYUCDDJBLVLMHAALPTCXLYRWTQTIPWI > > > Sent: Wednesday, December 10, 2003 11:47 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Virus software on DC > > > > > > > > > We run Symantec AV corporate edition and don't exclude any > > > directories. We haven't had any problems related to AV > > > software...... > > > > > > -----Original Message----- > > > Wrom: GYOKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXO > > > [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob > > > Sent: Wednesday, December 10, 2003 11:42 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Virus software on DC > > > > > > >What directories should I not be scanning? > > > > > > We use the exclusions in this list- > > > > > > 822158 - Virus Scanning Recommendations on a Windows 2000 Domain > > > Controller: > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;822158 > > > > > > > > > ________________________________ > > > > > > Wrom: EAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFX > > > Sent: Wednesday, December 10, 2003 8:30 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Virus software on DC > > > > > > > > > We run Trend here. > > > Never have run into any issues and we are using the > > realtime scan. > > > Just out of curiosity though, I am scanning all except > for a few > > > select dirs/ > > > What directories should I not be scanning? > > > > > > > > > > > > John Parker, MCSE > > > IS Admin. > > > Senior Technical Specialist > > > Alpha Display Systems. > > > > > > Alpha Video > > > 7711 Computer Ave. > > > Edina, MN. 55435 > > > > > > 952-896-9898 Local > > > 800-388-0008 Watts > > > 952-896-9899 Fax > > > 612-804-8769 Cell > > > 952-841-3327 Direct > > > > > > [EMAIL PROTECTED] > > > "Be excellent to each other" > > > ---End of Line--- > > > > > > > > > -----Original Message----- > > > Wrom: ISHJEXXIMQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCG > > > Sent: Wednesday, December 10, 2003 10:24 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Virus software on DC > > > > > > > > > > > > I do, but I exclude the AD files, and I do not have real-time > > > scanning enabled, just periodic scheduled scans. Does not seem to > > > cause any problems. > > > > > > > > > > > > <mc> > > > > > > -----Original Message----- > > > Wrom: PKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLS > > > Sent: Wednesday, December 10, 2003 11:17 AM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] Virus software on DC > > > > > > > > > > > > This may be a dumb question, but do you guys have virus > > scanning > > > software on your DCs? I have been confused if the virus > > scanner slows > > > the machine down or not. Thanks > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > List info : > > > http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > List info : > > > http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
