VONE DOS-ing VBR

[mdiver]

In a customer environment we're facing the issue that a VeeamONE server trying to federate a Veeam Backup and Replication server is effectively running a denial of service attack against this VBR server (Case #07651429).

Once configured on VONE side, the VBR server almost stops responding and can no longer run backups because of CPU and especially HDD writes overloading the system. The ressource consumption could be traced back to LSASS.EXE. Having enabled the security audit protocol on the VBR server, we can see logins multiple times in every second from the VONE service account leading to a "Credential Validation" (event ID 4776) with the VONE server as the source.
Once I stop the VONE monitoring service, everything is back to normal.
We cross checked the service account's password several times already.
It is correct and can be used for a remote logon manually.

Does anyone have an idea on what might be going on here?
Also it is alarming that a VBR server can be DOS'ed effectively from a remote system to being non-functional.

Thanks,
Mike

[jorgedlcruz]

Hello,
Thank you for the support case. I can see it was opened yesterday and there has been activity already including today. I would probably recommend keep working with the Support Engineers.

I think as per this article, it is a Microsoft expected behavior when the credentials are wrong, it might happen with any other app that tries to connect programmatically: https://www.veeam.com/kb2276

We will monitor it from our side. I hope a resolution happens soon.

[mdiver]

Just an update: call is still in process. Support could validate that VONE is responsible for the DoS to VBR.
Reason still unclear. I will follow up.

Thanks,
Mike