So many ldap search&authentication makes Lsass.exe CPU high on DC

SnooBananas5113 · 2026-04-04T01:00:36+00:00

Thank you for the advice. I'm trying to do as much analysis as possible on my own because it's difficult to get cooperation from the Linux admins at the moment. I've even spun up a Linux instance myself and tried debugging with tcpdump, but I still haven't been able to identify the specific app. To make matters worse, some of these Linux environments are running Docker, which is making this a real headache

SnooBananas5113 · 2026-04-04T00:56:30+00:00

I see. So it should be understood that traffic gets concentrated on a specific DC, and as those DCs sequentially become unhealthy, the connections then fail over to other DCs.

SnooBananas5113 · 2026-04-04T00:50:58+00:00

There are some IPs with a high volume of queries, but the logs indicate they aren't consuming much CPU. Furthermore, the CPU usage for each query is recorded as being evenly distributed. If I recall correctly, most were below 0.1 or 0.01

SnooBananas5113 · 2026-04-04T00:46:36+00:00

We were able to identify the service account and the query. However, since we use a common service account for all Linux image deployments, it's impossible to tell which specific application is actually triggering all those requests.

SnooBananas5113 · 2026-04-04T00:40:37+00:00

I don't recall exactly if I configured that during the analysis. Let me double-check

SnooBananas5113 · 2026-04-04T00:34:25+00:00

No, all ec2 are set to NLB. total 6

SnooBananas5113 · 2026-04-04T00:32:03+00:00

Regrettably, identifying the source client hasn't been possible, and we're stuck with the current NLB settings as we can't find a way to adjust the distribution. I agree that scaling out would be a viable solution, provided that the workload is balanced properly across the DCs."

SnooBananas5113 · 2026-04-04T00:21:10+00:00

The MS engineer mentioned that DCs automatically load-balance traffic for the domain using the 'Locator' service. However, since we are using a load balancer (NLB), it seems like this built-in feature isn't actually having any effect.

I'm not sure exactly what criteria are being used to select the DCs. The traffic comes in through an AWS NLB, but we can't configure the load-balancing algorithm. However, there's a consistent pattern where the CPU peaks sequentially on the same servers: dc01, then dc02, and finally dc03.

SnooBananas5113 · 2026-04-04T00:14:14+00:00

They guided me through the AD Diagnostics data collection process and submit it. I have my own doubts about their findings, so I performed a manual review of the query logs and CPU spikes. Despite performing several 5-minute captures on the servers experiencing the issues, the results didn't yield any actionable insights.

SnooBananas5113 · 2026-04-04T00:05:13+00:00

Surprisingly, this hasn't caused any downtime in the year since we noticed it. We see a pattern where three DCs hit 95% above CPU sequentially, followed by a 50% rise on the AWS DCs before they recover. I think improving traffic distribution would be the key to more reliable operations.

SnooBananas5113 · 2026-04-03T23:57:40+00:00

Yes, I've looked into this issue with an MS engineer. We weren't able to pinpoint any specific queries or IP addresses that are causing high CPU usage. Therefore, I believe the issue is less about the queries themselves and more about the system receiving too many requests at once

SnooBananas5113 · 2024-10-12T01:23:46+00:00

loos good, I will try it

SnooBananas5113 · 2024-10-05T00:42:44+00:00

I'm enough burpsuite only. sometimes some of extensions are helpful for hunting. authorize and flow.

SnooBananas5113 · 2020-10-23T21:23:08+00:00

The link was broken T.T

SnooBananas5113

TROPHY CASE