over 8GB of traffic from a workstation named KHAOSSERVER has occurred since yesterday; in the Security Event Log are records like this:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: agent
Account Domain: KHAOSSERVER
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: KHAOSSERVER
Source Network Address: - ????????
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
if there were an ip address for KHAOSSERVER,
an inbound blocking rule could be configured.
Regardless that the workstation name might change,
how does one configure an inbound blocking rule
for Windows 2008 R2 firewall when the workstation
is known but the ip address is unknown?
Please note:
even now, KHAOSSERVER is still attacking my server.
I would comment, but I can't.
Talk to someone who has visibility into the network or run a packet capture with something like wireshark to capture the IP.