Domain Controllers Experiencing Heavy Network Load From Almost All Machines In the Domain

networking windows domain-controller ldap network-traffic

We are experiencing frequent and high-bandwidth connections from almost every machine in our environment with no recognizable pattern.

We transferred ~110GB to/from our main domain controllers(10.223.3.35 and 10.223.3.14) over the past 24hours over port 445

We recently made the following changes in our environment: (however these changes were made about 7 days after the network issues first occurred)

Digitally encrypt or sign secure channel data (always) – Enabled
Digitally encrypt secure channel data (when possible) – Enabled
Digitally sign secure channel data (when possible) – Enabled
Disable machine account password changes – DISABLED
Maximum machine account password age – 30
Require strong (Windows 2000 or later) session key – Enabled
Send unencrypted password to connect to third-party SMB servers – DISABLED
Allow anonymous SID/name translation – DISABLED
Do not allow anonymous enumeration of SAM accounts – Enabled
Do not allow anonymous enumeration of SAM accounts and shares – Enabled
Restrict anonymous access to Named Pipes and Shares – Enabled
Allow LocalSystem NULL session fallback – Disabled
Do not store LAN Manager hash value on next password change – Enabled
LAN Manager authentication level - Send NTLMv2 response only\refuse LM & NTLM
LDAP client signing requirements - Negotiate Signing Minimum session security for NTLM SSP based (including secure RPC) clients - Require NTLMv2 session security, Require 128bit encryption
Minimum session security for NTLM SSP based (including secure RPC) servers - Require NTLMv2 session security, Require 128bit encryption

Snort is coming back with this type of log frequently: 07/01-20:01:41.953634 [] [1:3276:2] NETBIOS DCERPC IActivation little endian bind attempt [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} redactedIP:55424 -> 10.223.3.35:135

Event viewer seems to be logging an obscene number of security events but none of them seem to stand out. Disk utilization in resource monitor can sit around 100MB/s and network is sometimes uploading 150mbps or higher for seemingly no good reason. There is no identifiable, intentional major data transfer from any of the problematic machines.

Any insight that anyone can provide is much appreciated!


TCP 445 is SMB, i.e. Windows file sharing.

You should monitor the SMB activity on your DCs; you can do that graphically from the Computer Management MMC or via PowerShell using the various Get-SmbXYX commands in SmbShare.

This could be a virus spreading through network shares; however, this is just a random guess and it could really be anything else.

Related

Iptables forward all traffic to a specified port and IP address, to another device [duplicate]
Why traceroute with different arguments makes different routes?
Let openldap users change password with passwd in centos, i broke it
Get access denied using project owner service account credentials
Apache Guacamole Login with User from DomainA, rdp to Server from DomainB
Problems when install perl package
What is the difference between 'curricula' and 'curriculum'?
Is there any reason why English doesn’t add respectful words in every sentence? [closed]
Does the word Effortless imply a negative or a positive comment?
Releasatory? Releaseful?
Word for covering yourself with something while slouching?
What’s the name for Gary and Harry’s blood relationship?