Conficker가 도메인 컨트롤러에서 LSASS가 높은 CPU를 발생시키는 경우

  • Article

???? : Conficker causes LSASS to consume CPU Time on Domain Controllers

https://blogs.technet.com/askds/archive/2009/04/16/conficker-causes-lsass-to-consume-cpu-time-on-domain-controllers.aspx

 

?????? ??(Gautam)???. ? ???? ??? ??? ??? ? ??? ?? ??????.

??? ??? ?????? LSASS? ?? CPU? ???? ????. ? ?? CPU? ??? Conficker? ???? DC? ??? ????? ???? ???? ??????. ??? ????? ???? ??? ??? ??????? ?? 10,000? ???????.

Conficker? ?? ???? ??? ???? ?? ? ????.

??? ???? ???? ??? ? ????. ? ?? ?? ?? ??? ????.

1. ???? ??? ???? ???? ?????.

2. ??? ?? ?????.

3. ?? ???(????? ??? ?) ??? ?? ??? ???? ?????.

?? ???? ??? ???? ??? ?? ?????. ??? ????? ?? CPU? ?? ??? ??? ??? ??? ??? ?? ???? ???? ???.

??

??? ????? CPU ???? ?? ????(??? ?? = 70%???? ??? ???? ???? DC? ????). ??? ?????, ? CPU? ???? LSASS.EXE? ????. Perfmon? ??? ?? CPU ???? ?? ?? ??? ?? ???? ???? ????? ?? ????. ??? ??? ???? ???? ????.

?? ??? ???, ?? CPU ???? Exchange/SharePoint/?? ? AD? ???? ?? ????? ??? ???.

???? ???? ???? ?? ? ??? ????, LSASS? ???? ??? ~1% ???? ?????. ??(Ned Pyle)? ??? ??? ???? ???? ?? ??? ??????.

? ???? ???, ???? ???? ???? LSASS ???? ???? ??? ??????. ?? ???? ??? LSASS? 80%~90%? CPU ???? ?????.

??? ???? ? ??? ????, ???? ??? DC??? ?? ??? ?? ??? ?? ? ????. 100MB? ???? ???? ? ? ?? ???? ?? ???? ??? ???? ?? ?? ?? ????.

? ??? ???, ??? ?? ???? ??? ??? - ?? Netmon 3*? ???? ?? ??? ?????. ?? ??? ??? ???? ??? ????? DC??? ???? ??? ?? ? ?????.

09:54:16.593    192.168.0.1    DC01.CONTOSO.COM    KerberosV5    KerberosV5:AS Request Cname: User1 Realm: CONTOSO.COM Sname: krbtgt/CONTOSO.COM

09:54:16.625    DC01.CONTOSO.COM    192.168.0.1    KerberosV5    KerberosV5:KRB_ERROR - KDC_ERR_PREAUTH_FAILED (24)

OR

09:54:16.531    192.168.0.2    DC01.CONTOSO.COM    TCP    TCP:Flags=......S., SrcPort=4614, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3314092510, Ack=0, Win=65535 ( ) = 65535

09:54:16.531    DC01.CONTOSO.COM    192.168.0.2    TCP    TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=4614, PayloadLen=0, Seq=1831638666, Ack=3314092511, Win=17520 ( Scale factor not supported ) = 17520

09:54:16.531    192.168.0.2    DC01.CONTOSO.COM    TCP    TCP:Flags=...A...., SrcPort=4614, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3314092511, Ack=1831638667, Win=65535 (scale factor 0x0) = 65535

09:54:16.531    192.168.0.2    DC01.CONTOSO.COM    SMB    SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12

09:54:16.531    DC01.CONTOSO.COM    192.168.0.2    SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

09:54:16.578    192.168.0.2    DC01.CONTOSO.COM    SMB    SMB:C; Session Setup Andx, NTLM NEGOTIATE MESSAGE

09:54:16.578    DC01.CONTOSO.COM    192.168.0.2    SMB    SMB:R; Session Setup Andx, NTLM CHALLENGE MESSAGE - NT Status: System - Error, Code = (22) STATUS_MORE_PROCESSING_REQUIRED

09:54:16.593    192.168.0.2    DC01.CONTOSO.COM    TCP    TCP:Flags=...A...F, SrcPort=4614, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3314092888, Ack=1831639470, Win=64732 (scale factor 0x0) = 64732

09:54:16.593    DC01.CONTOSO.COM    192.168.0.2    TCP    TCP:Flags=...A...F, SrcPort=Microsoft-DS(445), DstPort=4614, PayloadLen=0, Seq=1831639470, Ack=3314092889, Win=17143 (scale factor 0x0) = 17143

09:54:16.593    192.168.0.2    DC01.CONTOSO.COM    TCP    TCP:Flags=...A...., SrcPort=4614, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3314092889, Ack=1831639471, Win=64732 (scale factor 0x0) = 64732

?? ??? ???? ??? ????, ???? Kerberos KDC_ERR_PREAUTH_FAILED?? ??? ????? ?? ?????. ??? ??? ??? ?? ??? ?? ???? ???, ??? ?? 3~4? ??? LSARPC? ??? ?????.

SPA ???? ??? ?? ?? SAMSRV ?? LSARPC? ??? ????. ??? AD ?? ???? ???? Tim Springston? ???? SPA ??? ?????.

SPA? ???? ???? ?? ???? ??, 3?? ?? ????? ???? ??????. ? ????? ????? MPSReports ??????. ??? ???? ??? ??? ??? ?? ??? ???? ??? ID 529? ???/?? ?? ?????.

?? : ????, ??? ???/???? ? ?? ??? ? ????? ????. ??? ? ????, ??? ????? ???? ?????. ????? ???? ???/???? ?? ? ????? ????.

?? ??

??? ?? ??? ??? ????.

1. ??? ?? ?? ??? ?????. ?? ??? ????? ??? ?? ?????.

2. ??? ????? ?? ??? ?? ??? ??????.

?? ??? ??? ????? ??????, ?? ??? ??? ?? ?? ?? ??? ??? ID 675? ??? ????. ??? ??? 675? ????.

Event Type:    Failure Audit
Event Source:    Security
Event Category:    Account Logon
Event ID:    675
Date:        3/23/2009
Time:        3:03:57 AM
User:        NT AUTHORITY\SYSTEM
Computer:    DC01
Description:
Pre-authentication failed:

    User Name:    User1
    User ID:        %{S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxxx}
    Service Name:    krbtgt/CONTOSO.COM
    Pre-Authentication Type:    0x2
    Failure Code:    0x18
    Client Address:    192.168.0.100 ß IP of the computer which is throwing the bad credentials

??? DC?? ??? ??? ID((529, 644, 675, 676, 681)? ???? ?? EVENTCOMBMT ????? ??? ??? ??? ?????. 30? ???? ??? ????? ??? 100??? ???? ??? ? ? ????. ??? ???? ? ??? LSASS.EXE CPU ???? ?????? ?????. LSASS? ?? ???? ?? ???? ??? ?? ??? ?????.

???

??? ????? ??? ??(?? ???? ???? ???? ???? ??)? ??(???? ?? ??? ???)? ??? ??? ?????. ?? ????? ?????, SPA? Netmon ???? ??? ? ??, Conficker? ??? ??? ? ????. ??????? ?? ?? ??? ??????? ??, ????, ????, ???? ??? ????? LSASS CPU ???? ??? ?? ? ????.

?? LSASS CPU? ????? ?? ????? ????? ????? ????, ?? ???? DC ?? ???? ?? ?? ????? ???? ?????. ??? ? ?? ??? ???? ??? ? ????. ???, ???, ??? ???? ??? ???? Conficker? ??? ???? ?? ?????.

???? ??? ??? ?? ??? ??? ???? ??? ???? ? ?? ???.

Gautam Anand