RDP Server under attack; IP address used is our server address

Question

I have setup a Windows 2016 server for remote desktop access, and installed RDPGuard to block brute force attacks. This worked well for a few days and RDPGuard blocked out a number of IP addresses.

However a few days ago I noticed RDPGuard skipped some login attempts as the source address was the server's IP address. This has now grown to where I am seeing a couple of login attempts per second where the source address is the server's IP, the login names used are coming from a dictionary of names e.g JOHN, CARMEN, LISA, etc. There are still occasional attempts from other IP addresses but the majority use the local IP address. Event viewer shows the same info as RDPGuard i.e. the local IP as the source address, so it is not appear to be a fault with RDPGuard.

Would anyone know how the attacker is spoofing our server's IP, and how to prevent this?

Yes I know. Which one is triggering the authentication issues? — roaima, Apr 11 '18 at 07:53
Not sure how to tell sorry? There is nothing in the event stating the protocol used — Laurence, Apr 11 '18 at 07:58

score 0 · Accepted Answer · answered Apr 11 '18 at 21:28

Problem solved - we are also using Ericom's AccessNow product, and we found failed attempts logging in from here result in the server IP address being the source as the originating IP is unavailable. This wasn't occurring on our previous server with AccessNow so perhaps a configuration change is to blame.

RDP Server under attack; IP address used is our server address

1 Answers1