Steven
Wed Sep 28 15:20:18 CDT 2005
With netmon or any other packet sniffer [like Ethereal] you would be
looking for a lot of broadcasts being done by a computer or computers and I
mean continuous non stop because it is not unusual to see broadcasts.
Broadcasts have a destination address ending in .255 for your network
address. Also look for computers that constantly are sending traffic to the
domain controller and I mean that it never stops. That is how a DOS attack
works by trying to overwhelm the destination computer so that it can no
longer function on the network. Netmon may show computer names or IP
addresses [maybe even mac addresses] in the source and destination columns
of the capture. Again I tend to doubt that your dc is under a DOS attack if
only one or a few of those Event IDs were recorded. --- Steve
"derlenbusch" <derlenbusch@discussions.microsoft.com> wrote in message
news:BDCAFE33-00AC-476F-B670-7DF6A875622E@microsoft.com...
> Thanks for the info. I got netmon installed but not sure what i am looking
> for:
> Not sure what EType = Unknown is for:
>
> 1 0.190302 003048232E34 *BROADCAST ETHERNET EType = Unknown
> FRAME: Base frame properties
> FRAME: Time of capture = 9/28/2005 10:38:50 AM
> FRAME: Time delta from previous physical frame: 0 microseconds
> FRAME: Frame number: 1
> FRAME: Total frame length: 64 bytes
> FRAME: Capture frame length: 64 bytes
> FRAME: Frame data: Number of data bytes remaining = 64 (0x0040)
> ETHERNET: EType = Unknown
> ETHERNET: Destination address = FFFFFFFFFFFF
> ETHERNET: 1....... = Group address
> ETHERNET: .1...... = Locally administered address
> ETHERNET: Source address = 003048232E34
> ETHERNET: .0...... = Universally administered address
> ETHERNET: Ethernet Type : 0x886D
> ETHERNET: Ethernet Data: Number of data bytes remaining = 50 (0x0032)
> 00000: FF FF FF FF FF FF 00 30 48 23 2E 34 88 6D 00 01 ÿÿÿÿÿÿ.0H#.4?m..
> 00010: 00 01 24 61 14 00 03 00 00 0E 0C 5A E7 6C 00 00 ..$a.......Zçl..
> 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>
>
> "Steven L Umbach" wrote:
>
>> OK. I read the comment where a user saw that event generated after he did
>> a
>> security scan which may or may not be related and could have been
>> coincidental. I would not worry much unless you are getting a lot of
>> these
>> events and something is not working correctly. If you have another wins
>> server on your network that perhaps is a replication partner to your dc
>> then
>> I would check it to see if it is functioning correctly and see if
>> anything
>> related is reported in the logs for it. You may also want to restart the
>> wins service. If you have a DOS attack on your server you would
>> experience
>> sluggish performance and response and could verify a DOS attack with
>> netmon
>> where you would see an extreme amount of unexplained traffic coming from
>> one
>> or more computers which could indicate a worm on your network and could
>> also
>> generate a lot of logon failures in the security log of the domain
>> controller assuming auditing of account logon and logon events is
>> enabled.
>> For domain controllers you probably only want to have auditing of "logon"
>> events enabled for failure and "account logon" events enabled for success
>> and failure. Of course a properly configured firewall should be
>> protecting
>> your network. --- Steve
>>
>>
>> "derlenbusch" <derlenbusch@discussions.microsoft.com> wrote in message
>> news:6DAC66A0-6E18-4ED4-AA98-A584618E0E2C@microsoft.com...
>> > Thanks. did that and got a strange answer back that worries me about a
>> > DoS.
>> > That is why I am worried and have posted this out here for more help.
>> > Dan
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> I don't know the answer offhand but I often find it helpful to search
>> >> for
>> >> info about Event IDs at
http://www.eventid.net. Select search events
>> >> and
>> >> enter the Event ID number and source --- Steve
>> >>
>> >>
>> >>
>> >> "derlenbusch" <derlenbusch@discussions.microsoft.com> wrote in message
>> >> news:E48AE74C-F69A-4715-9EB1-B5EF83C58D3D@microsoft.com...
>> >> >I get this error on my DC. I can't find anything useful on line. Any
>> >> >ideas
>> >> > what it is or how I can fix it? The only item I found was that I
>> >> > might
>> >> > have a
>> >> > Denial Of Service.
>> >> >
>> >> > The length of the message sent by another WINS indicates a very big
>> >> > message.
>> >> > There may have been corruption of the data. WINS will ignore this
>> >> > message,
>> >> > terminate the connection with the remote WINS, and continue.
>> >> >
>> >> > Also:
>> >> > The message '-1073671982' for application 'Wins' could not be
>> >> > formatted
>> >> > using library(ies): ''. The log entry contains the following
>> >> > replacement
>> >> > strings:
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>