This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Juergen_Blumens
Participant
yesterday

Coordinated global attack against Checkpoint VPN?

Hello colleagues,

We have been experiencing a massive distributed attack against our Endpoint VPN access over the last few weeks. Login attempts are being made from various source IP addresses. Even known usernames are being used. caseyb describes this attack here https://community.checkpoint.com/t5/General-Topics/R81-20-Jumbo-Hotfix-Accumulator-take-96-has-been-..., which I also see here.

Unfortunately, the technical defense measures are limited, as the attacker tries different user accounts from one IP. We need a solution that blocks failed login attempts with different user accounts from the same IP.

Question to the community: Do you also see failed login attempts in your logs, for example from the IP 138.124.184.205?

Greetings
Juergen

0 Kudos
10 Replies
G_W_Albrecht
Legend Legend
Legend
yesterday

What about using certificate authentication ? Username/PW is rather very old-fashioned...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Juergen_Blumens
Participant
yesterday
In response to G_W_Albrecht

No, we had that in the past. The administrative effort is too high. Security also depends on how passwords are composed.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
yesterday
In response to Juergen_Blumens

I see.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
CaseyB
Advisor
yesterday
In response to G_W_Albrecht

We have not really explored certificate authentication for the Endpoint VPN, I would like to imagine administrative overhead issues with that as well, but I could be mistaken.

We do have MFA on the VPN, so I'm not as concerned.

0 Kudos
Wolfgang
Authority
Authority
yesterday

@Juergen_Blumens how about using SmartEvent ? You can define as an example an action to block the source IP for the next hour.

Screenshot 2025-01-08 134327.png

0 Kudos
the_rock
Legend
Legend
yesterday

If you know the IP does not change, I would use SAM rule to block it, its instant and you dont even need to install policy.

Andy

0 Kudos
Juergen_Blumens
Participant
yesterday
In response to the_rock

The problem is that it is a distributed attack from around 60 different IP addresses that are distributed worldwide. It's not easy to detect the attacker in the logs at first, then I have to configure the drop afterwards. Until then, the attacker comes from other IPs. That's why I want to request the new feature from sk182087 not only on a user-specific basis, but also to block the Source IP in the event of several unsuccessful login attempts within a short period of time.

At first I thought this was just an attack against us, but after CaseyB's screenshot I can see that the same attacker is trying it on other Checkpoint firewalls at the same time. Can you take a look on your logs, do you also see failed login attempts from the IP 138.124.184.205?

0 Kudos
the_rock
Legend
Legend
yesterday
In response to Juergen_Blumens

I understand what you mean. Just checked, dont see anything for that IP for the last year.

Andy

0 Kudos
PhoneBoy
Admin
Admin
yesterday

Based on https://support.checkpoint.com/results/sk/sk182087 this behavior is by design.
Specifically: "The main motivation behind not to remember only a public IP address is to avoid collective DoS attacks that might block multiple Remote Access VPN users, who may connect from behind the same NAT device."

0 Kudos
Juergen_Blumens
Participant
3 hours ago
In response to PhoneBoy

You're right about that. However, it should still be possible to select for incorrect login attempts within a narrowly defined period. Real users do not have so many failed attempts.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events