>>>Is 80K records for today in Application Event Viewer for MSSQLServer a clear indication of someone trying to hack the server and therefore bringing down the resources?
>>
>>Are those event records failed logins? I've seen that many times when people are working to guess the sa password. Your sa account will get locked out because of the failed attempts, by the way.
>>
>
>Yes, they are all failed logins.
>
>>First thing to do if possible is make sure TCP port 1433 is not allowed in through the corporate firewall. If your DMZ or otherwise external web server or outside client has to connect to the SQL server, make rules on the firewall or router to only allow 1433 in to the SQL server from specific IP addresses.
>
>Can you please elaborate on this? What exactly should I do?
>
>Thanks a lot in advance.

This depends on your network configuration and where the SQL clients are.

If all your SQL clients are inside your network perimeter (on the same side of the firewall as SQL Server, then just set your firewall to NOT allow inbound port 1433.

If you have clients outside your firewall, then your firewall should use publishing rules (microsoft terminology - YMMV) that only allow port 1433 to the SQL Server from specific external IP addresses. Whomever is in charge of your firewall should be able to handle that easily.

If you are still working on this tomorrow, I'll be in my home office and you can give me a call and I'll try to give more specific help. Let me know tomorrow and I'll shoot you my office phone # if you need it.