I've been seeing what looks like a dictionary attack on our ISE TACACS logs with a remote address in China. What is strange is that the address they are attacking is an internal 10.x address on a management interface of our edge ASR routers. I'm seeing about ~7 (thankfully) failed login attempts every minute, with the source address periodically changing to another address in Chinese IP space.
I suspect that we may have a compromised host on our network that is spoofing it's source address, though I have no way to prove it at the moment. Unfortunately I'm unable to do an embedded packet capture on this interface (limitation of the ASR, i guess).
What is the best way to find what the actual source of these login attempts?
No comments:
Post a Comment