The attacks typically run about one to two user id's per second. Some attempts have run as long as 7 hours from one IP. Then it will stop for a few hours and start in again from another apparently unrelated IP. They always seem to go through a library of common user names, usually in alphabetical order. So far I don't think there have been any hits because we don't use common names. It appears to be a bot of some sort.
This is an IIS server. I'll check if it has a way to limit the number of attempts from one IP.
IIS Doesn't have a way to do this; you'll need to look at a more advanced FTP Server program, like Gene6 FTP (it's got some good security features, and is fairly inexpensive). I've never seen dictionary attacks detected as portscans, etc. in my experience. Best way to address this is on the FTP server side.
