IIS 7 and Above
Excessive Login Attempts/System Attack Warning
Last post Jan 10, 2018 11:27 AM by highdown
Jan 09, 2018 09:16 PM|highdown|LINK
I am running Windows 2012/IIS 8.+
A development server that only has a couple of users is experiencing a high rate of dropped connections and logins per hour. I have looked at two logs as noted below.
The RD Session Host server received large number of incomplete connections. The system may be under attack.
Windows Logs Security:
This log shows ~40,000 failed login attempts in the last 6 hours. I have set the dynamic IP restrictions as low as I can go, but to no effect. The server has been experiencing ~6,500 failed logins for over 24 hours and continues as I write this.
I think I need to possibly block IP/IPs on the Windows firewall, but cannot find the right log or logs.
Is there a default connection log on the server where I can see if these failed attempts are coming from the same IP address or a number of repeat offenders?
I checked this Stack Exchange link
Server under DDOS attack, but it appears to be for Linux so the log references are not applicable to IIS.
Thanks for your assistance.
Jan 09, 2018 10:34 PM|lextm|LINK
The RD Session Host server received large number of incomplete connections.
When it says clearly RD Session Host server, you should go to the relevant TechNet forum.
IIS has nothing to do with that, and Dynamic IP Restriction module won't help you in any way.
Jan 10, 2018 02:24 AM|Yuk Ding|LINK
IIS IP restriction only will block the incoming http request in IIS pipeline. You may not use it as something like server side IP security software. I didn't find any document about how to check the connector's IP.
Maybe you could get the IP list following this link:
This link provide various of solutions for this issue:
Maybe you need to restrict the connection to your server.
In addition, if the steps above is not working, please post it to TechNet remote desktop forum.
Jan 10, 2018 09:32 AM|highdown|LINK
Thank you for your helpful response. If I have additional issues, I will post to the appropriate forum.
Jan 10, 2018 11:27 AM|highdown|LINK
Yuk Ding, your Server Fault link provides a way to get the desired IP addresses through an event listener (script or C#). Really appreciate your answer and the time you spent on your response. Thanks again...