Score:1

Domain Controllers Experiencing Heavy Network Load From Almost All Machines In the Domain

cn flag

We are experiencing frequent and high-bandwidth connections from almost every machine in our environment with no recognizable pattern.

We transferred ~110GB to/from our main domain controllers(10.223.3.35 and 10.223.3.14) over the past 24hours over port 445

We recently made the following changes in our environment: (however these changes were made about 7 days after the network issues first occurred)

Digitally encrypt or sign secure channel data (always) – Enabled
Digitally encrypt secure channel data (when possible) – Enabled
Digitally sign secure channel data (when possible) – Enabled
Disable machine account password changes – DISABLED
Maximum machine account password age – 30
Require strong (Windows 2000 or later) session key – Enabled
Send unencrypted password to connect to third-party SMB servers – DISABLED
Allow anonymous SID/name translation – DISABLED
Do not allow anonymous enumeration of SAM accounts – Enabled
Do not allow anonymous enumeration of SAM accounts and shares – Enabled
Restrict anonymous access to Named Pipes and Shares – Enabled
Allow LocalSystem NULL session fallback – Disabled
Do not store LAN Manager hash value on next password change – Enabled
LAN Manager authentication level - Send NTLMv2 response only\refuse LM & NTLM
LDAP client signing requirements - Negotiate Signing Minimum session security for NTLM SSP based (including secure RPC) clients - Require NTLMv2 session security, Require 128bit encryption
Minimum session security for NTLM SSP based (including secure RPC) servers - Require NTLMv2 session security, Require 128bit encryption

Snort is coming back with this type of log frequently: 07/01-20:01:41.953634 [] [1:3276:2] NETBIOS DCERPC IActivation little endian bind attempt [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} redactedIP:55424 -> 10.223.3.35:135

Event viewer seems to be logging an obscene number of security events but none of them seem to stand out. Disk utilization in resource monitor can sit around 100MB/s and network is sometimes uploading 150mbps or higher for seemingly no good reason. There is no identifiable, intentional major data transfer from any of the problematic machines.

Any insight that anyone can provide is much appreciated!

joeqwerty avatar
cv flag
Run a packet capture on the Domain Controllers and analyze the capture.
Quinn Favo avatar
cn flag
@joeqwerty I knew I forgot to add something. A past packet capture I took does show some interesting things: TCP Dup Ack TCP Fast Retransmission TCP Out-of-order NBSS continuation messages(seems to be related to NetBios but I need to do some googling)
Massimo avatar
ng flag
@joeqwerty Based on the TCP port and the associated heavy disk I/O, this is definitely SMB traffic; investigating what is actually being done via SMB should be a lot more useful than a network capture.
joeqwerty avatar
cv flag
@Massimo a capture would tell the OP what the SMB traffic is related to. What's being accessed via SMB? A capture would show this.
cn flag
There's other protocols that can use 445 (SAMR is one). You could also disable Netbios - that shouldn't be needed.
cn flag
Also if you changed lmcompatibilitylevel to `Send NTLMv2 response only\refuse LM & NTLM` without auditing NTLM or phasing that in, it could be a problem. You may want to change that to allow NTLM to see the affect.
Score:3
ng flag

TCP 445 is SMB, i.e. Windows file sharing.

You should monitor the SMB activity on your DCs; you can do that graphically from the Computer Management MMC or via PowerShell using the various Get-SmbXYX commands in SmbShare.


This could be a virus spreading through network shares; however, this is just a random guess and it could really be anything else.

Quinn Favo avatar
cn flag
Thank you for your answer, I just checked it now. I am not sure what is considered normal but I am seeing hundreds of connections with some of them having 100+ open files. Some have been connected for 18 days.
Massimo avatar
ng flag
Domain Controllers host the SYSVOL share, where group policies are stored; it's definitely normal for domain computers to connect to it. However, heavy file transfers like the ones that seem to be going on here are definitely *not* normal.
Massimo avatar
ng flag
You'll need to investigate deeper and check *what* is actually being read or written and *where*.
SamErde avatar
gg flag
Do you have a software install policy that is deploying a package to clients, any logon/startup scripts, or any file deployment GP preferences?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.