My question is similar to one issued in this group in the beginning of
September
"Lsass error - Possible IIS breaking through web request"

We suffer from regular crash of Windows 2000 Server due to following error:
"The security package Negotiate generated an exception. The package is now
disabled. The exception information is the data".

Our server is used as web server and for each crush like this we have
corresponding entry in Web server log
2005-11-27 11:20:03 217.16.73.119 - W3SVC1 RT-WEB 192.168.1.3 80 GET / - 500
2148074244 182 5697 47 HTTP/1.0 217.9.80.108 - - -

It is important that ALL these bad requests have the same length 5697 and
were made from dialup Inet ip.
We meet probably near 30 or so there bad requests since this September.

The next important that all bad client ip were 217.x.x.x. So it looks like
some kind of automatically generated address partially coinsiding with our.

Sources of these bad requests are different: Bulgaria, German, Poland. Since
this November we receive several requests from Russia.

Now we block entire ip range from provider (all of them are dialup
providers) in firewall. It works but requests from new ip adresses appears.

The question is: what is the right way to deal with this situation?

Have you run Microsoft Baseline Security Analyser against this machine to
verify your patch level?

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Cheers
Ken


[quoted text, click to view]
: My question is similar to one issued in this group in the beginning of
: September
: "Lsass error - Possible IIS breaking through web request"
:
: We suffer from regular crash of Windows 2000 Server due to following
error:
: "The security package Negotiate generated an exception. The package is now
: disabled. The exception information is the data".
:
: Our server is used as web server and for each crush like this we have
: corresponding entry in Web server log
: 2005-11-27 11:20:03 217.16.73.119 - W3SVC1 RT-WEB 192.168.1.3 80 GET / -
500
: 2148074244 182 5697 47 HTTP/1.0 217.9.80.108 - - -
:
: It is important that ALL these bad requests have the same length 5697 and
: were made from dialup Inet ip.
: We meet probably near 30 or so there bad requests since this September.
:
: The next important that all bad client ip were 217.x.x.x. So it looks like
: some kind of automatically generated address partially coinsiding with
our.
:
: Sources of these bad requests are different: Bulgaria, German, Poland.
Since
: this November we receive several requests from Russia.
:
: Now we block entire ip range from provider (all of them are dialup
: providers) in firewall. It works but requests from new ip adresses
appears.
:
: The question is: what is the right way to deal with this situation?
:
:
:
:

[quoted text, click to view]

Thank you for info about MBSA. Yes, there are several critical security
updates missed. But none of them deal with Notification package failure.

I wrote custom filter to log the content of ALL_RAW server variable during
headers preprocessing and yesterday got record for my case. Its size is 5679
and consists of
the folowwing
Host: 217.9.80.108
Authorization: Negotiate
YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ...

I'm not sure what the "notification" package is. There is a Negotiate
package that handles Kerberos authentication. There are a number of patches
related to PCT/SSL type vulnerabilities. I would ensure that those are
installed.

Alternatively, perhaps you've encountered a bug. In which case I would
suggest that you open a call with Microsoft PSS (Product Support Services)
immediately, as this looks like a serious issue.

Cheers
Ken


[quoted text, click to view]
:
: > Have you run Microsoft Baseline Security Analyser against this machine
to
: > verify your patch level?
: >
: > http://www.microsoft.com/technet/security/tools/mbsahome.mspx
: >
: > Cheers
: > Ken
: >
:
: Thank you for info about MBSA. Yes, there are several critical security
: updates missed. But none of them deal with Notification package failure.
:
: I wrote custom filter to log the content of ALL_RAW server variable during
: headers preprocessing and yesterday got record for my case. Its size is
5679
: and consists of
: the folowwing
: Host: 217.9.80.108
: Authorization: Negotiate
:
YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ...
:
: What I can do with this info? Send it to Microsoft or what?