ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: Denial of Service Attack on Active Directory by flooding the Event Logs


Member

Posts: 17
Date: May 31, 2011
Denial of Service Attack on Active Directory by flooding the Event Logs
Permalink  
 


Hi again, was wondering if anyone's had to deal with a denial-of-service (DoS) attack to their Active Directory, involving a deliberate programmed execution of events that would cause the event logs to completely fill up and starve the DC of disk space.

Yes, I know it could be mitigated by setting an upper-bound on the size taken up by the security and event logs, but I wanted to know if anyone has experienced it.

We're currently reviewing our auditing settings to try and manage the amount of data generated, even in such a planned programmatic attempt to do so.

If you have experienced such an issue, kindly little-R or feel free to share here.

Thanks.



__________________

I’m sorry, but having a DB9 on the drive and not driving it is a bit like having Keira Knightley in your bed and sleeping on the couch.



Member

Posts: 9
Date: Jun 16, 2011
Denial of Service Attack on Active Directory by flooding the Event Logs
Permalink  
 


Hello Mate,

Yup, I've had to deal with a situation like this. We had a disgruntled insider who scripted an attribute modification on an entire OU of accounts that he somehow found that he had rights to be able to modify, and it so happened that we had enabled auditing for the modification of that attribute on user accounts.

Sure enough, by the morning, our disks were entirely depleted of disk space, and we had a situation where users could not log in (DoS). To make a long story short, it was a bad day and we made sure that this would never happen again.

We learnt that there are four ways in which you can prevent something like this from happening -

1. Make sure you have large disks and that you always have a reserve file in place which can be deleted to free up space should it come to this point.

2. Have some sort of alerting mechanism in place, so you can be informed if a large number of events are being generated in a short amount of time.

3. Make sure you've reviewed your auditing settings and that you've only configured auditing for the occurrence of a small set of administrative tasks

AND, most importantly, although not as apparent,...

4. Make sure you know exactly who can perform these tasks to begin with!

Believe it or not, #4 has been SO valuable, because, say for example, if you already know that only 10 people in the company can reset passwords, you can sleep SO much better, than if you have no idea and you're hoping that only a small number of people in your 1,000 user company can reset passwords!

We've actually implemented all these measures in place, and we all sleep so much better.

>- Matt



-- Edited by Matthew on Thursday 16th of June 2011 01:11:52 AM

__________________

Go Aussie!



Member

Posts: 17
Date: Jun 29, 2012
Denial of Service Attack on Active Directory by flooding the Event Logs
Permalink  
 


Hi Matthew,

Thank you very much for your detailed input. I am sorry to hear that this happened in your infrastructure, but it is good that you are now prepared to face this should it happen again.

I wanted to let you know that we have acted upon 3 of the 4 recommendations in place. Specifically -

1. We made sure we have large disks, and lots of redundancy

2. We had one of our internal IT app developers write a little program that can alert us if lots of entries start to get generated in a short period of time

3. We spent a great deal of time discussing and then finalizing our auditing settings to ensure that only critical events would be logged

 

One Challenge Left

The ONE big thing we have not been able to accomplish yet is your #4 i.e. how to ensure knowing exactly who can perform these tasks to begin with.

I mean we started looking at this, got approval for an internal project, assigned 3 of our best IT admins to try to do this, but trying to find out who has the ability to do these tasks has been a mountain of a problem to climb.

There are many reasons for this - a) we have 1000s of accounts, b) 100s of delegated admins (including service accounts, folks from HR, Legal, etc.), c) 1000s of ACLs to analyze, and d) a fair amount of delegation via nested groups.

As a result, we don't even know where to begin, so I'm afraid, we're not yet in a position where we can sleep well at night knowing that only x number of people can perform these tasks.

You seemed to mention that you had implemented ALL these measures, so if you don't mind me asking, and if you don't mind sharing, HOW did you accomplish #4, i.e. finding out who can perform these administrative tasks?

Thanks a lot for sharing - your inputs have already been very helpful!

Kind Regards,

Will.



__________________

I’m sorry, but having a DB9 on the drive and not driving it is a bit like having Keira Knightley in your bed and sleeping on the couch.



Member

Posts: 16
Date: Jun 29, 2012
RE: Denial of Service Attack on Active Directory by flooding the Event Logs
Permalink  
 


Hi Matthew,

I found your post very helpful - thanks for sharing. 

We too had a similar situation, wherein we had an HR employee who had modify access to the Employee ID attribute on all our user accounts, and one day someone planted a login script that executed when this employee logged in and it went ahead and modified the Employee ID of all accounts 100 times! 

Obviously, this led to our event logs getting flooded, as we had writes to that attribute being audited.

Since then, we've been trying to find out who all has modify access in out Active Directory, and to what, so I too would be interested in knowing how to go about finding exactly who is provisioned/delegated what access in Active Directory? 

If you don't mind sharing how you do it, that would be very helpful.

Thanks,

John,



__________________


Member

Posts: 9
Date: Jul 20, 2012
RE: Denial of Service Attack on Active Directory by flooding the Event Logs
Permalink  
 


Mates,

Yes, after quite some effort and management support, we now have all four measures in place to ensure that this does not happen again.

As for your question, i.e. what we are using to make sure we know who can perform these tasks in our Active Directory, we're using an automated tool called Gold Finger for Active Directory

I believe its over at  - www.paramountdefenses.com/goldfinger

Good luck to you guys.

>- Matt



__________________

Go Aussie!

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me