Score:1

Server

Domain Controllers Experiencing Heavy Network Load From Almost All Machines In the Domain

Quinn Favo

11/1/22, 8:19 PM

We are experiencing frequent and high-bandwidth connections from almost every machine in our environment with no recognizable pattern.

We transferred ~110GB to/from our main domain controllers(10.223.3.35 and 10.223.3.14) over the past 24hours over port 445

We recently made the following changes in our environment: (however these changes were made about 7 days after the network issues first occurred)

Digitally encrypt or sign secure channel data (always) – Enabled
Digitally encrypt secure channel data (when possible) – Enabled
Digitally sign secure channel data (when possible) – Enabled
Disable machine account password changes – DISABLED
Maximum machine account password age – 30
Require strong (Windows 2000 or later) session key – Enabled
Send unencrypted password to connect to third-party SMB servers – DISABLED
Allow anonymous SID/name translation – DISABLED
Do not allow anonymous enumeration of SAM accounts – Enabled
Do not allow anonymous enumeration of SAM accounts and shares – Enabled
Restrict anonymous access to Named Pipes and Shares – Enabled
Allow LocalSystem NULL session fallback – Disabled
Do not store LAN Manager hash value on next password change – Enabled
LAN Manager authentication level - Send NTLMv2 response only\refuse LM & NTLM
LDAP client signing requirements - Negotiate Signing Minimum session security for NTLM SSP based (including secure RPC) clients - Require NTLMv2 session security, Require 128bit encryption
Minimum session security for NTLM SSP based (including secure RPC) servers - Require NTLMv2 session security, Require 128bit encryption

Snort is coming back with this type of log frequently: 07/01-20:01:41.953634 [] [1:3276:2] NETBIOS DCERPC IActivation little endian bind attempt [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} redactedIP:55424 -> 10.223.3.35:135

Event viewer seems to be logging an obscene number of security events but none of them seem to stand out. Disk utilization in resource monitor can sit around 100MB/s and network is sometimes uploading 150mbps or higher for seemingly no good reason. There is no identifiable, intentional major data transfer from any of the problematic machines.

Any insight that anyone can provide is much appreciated!

556

1 + 6

networking

windows

ldap

domain-controller

network-traffic

joeqwerty

11/1/22, 8:37 PM

Run a packet capture on the Domain Controllers and analyze the capture.

Quinn Favo

11/1/22, 9:08 PM

@joeqwerty I knew I forgot to add something. A past packet capture I took does show some interesting things: TCP Dup Ack TCP Fast Retransmission TCP Out-of-order NBSS continuation messages(seems to be related to NetBios but I need to do some googling)

Massimo

11/1/22, 10:18 PM

@joeqwerty Based on the TCP port and the associated heavy disk I/O, this is definitely SMB traffic; investigating what is actually being done via SMB should be a lot more useful than a network capture.

joeqwerty

11/1/22, 11:36 PM

@Massimo a capture would tell the OP what the SMB traffic is related to. What's being accessed via SMB? A capture would show this.

Greg Askew

11/2/22, 12:28 PM

There's other protocols that can use 445 (SAMR is one). You could also disable Netbios - that shouldn't be needed.

Greg Askew

11/2/22, 12:44 PM

Also if you changed lmcompatibilitylevel to `Send NTLMv2 response only\refuse LM & NTLM` without auditing NTLM or phasing that in, it could be a problem. You may want to change that to allow NTLM to see the affect.

Score:3

Server

Massimo

11/1/22, 8:45 PM

TCP 445 is SMB, i.e. Windows file sharing.

You should monitor the SMB activity on your DCs; you can do that graphically from the Computer Management MMC or via PowerShell using the various Get-SmbXYX commands in SmbShare.

This could be a virus spreading through network shares; however, this is just a random guess and it could really be anything else.

0 + 4

Quinn Favo

11/1/22, 9:07 PM

Thank you for your answer, I just checked it now. I am not sure what is considered normal but I am seeing hundreds of connections with some of them having 100+ open files. Some have been connected for 18 days.

Massimo

11/1/22, 10:12 PM

Domain Controllers host the SYSVOL share, where group policies are stored; it's definitely normal for domain computers to connect to it. However, heavy file transfers like the ones that seem to be going on here are definitely *not* normal.

Massimo

11/1/22, 10:13 PM

You'll need to investigate deeper and check *what* is actually being read or written and *where*.

SamErde

11/7/22, 10:43 AM

Do you have a software install policy that is deploying a package to clients, any logon/startup scripts, or any file deployment GP preferences?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Domain Controllers Experiencing Heavy Network Load From Almost All Machines In the Domain

TH: ตัวควบคุมโดเมนประสบปัญหาการโหลดเครือข่ายจำนวนมากจากเครื่องเกือบทั้งหมดในโดเมน

RO: Controlerele de domeniu se confruntă cu o sarcină grea de rețea de la aproape toate mașinile din domeniu

RU: Контроллеры домена испытывают большую сетевую нагрузку почти со всех машин в домене

VI: Bộ điều khiển miền gặp phải tải mạng nặng từ hầu hết các máy trong miền

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.