Unplug the internal network from the firewall. If something internal is doing it, that would be the best way to figure it out. Or it'll point to an external threat or a flaw in the firmware of your current firewall. (it was a linksys or something like that, wasn't it?) 6 hours of downtime for the network vs X number of days imaging every machine and working out the bugs/user issues/complaints/lost data....... Personally, the 6 hours (or 4 hrs or 2hrs)of down time in non-invasive and the network can be put back exactly the way it was. Good luck with whatever you pick. It's a real toss up. Troy -----Original Message----- From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, January 05, 2005 7:54 AM To: [ISAserver.org Discussion List] Subject: [isalist] Syn Flood Update http://www.ISAserver.org Ran network monitor looking for high volume of packets coming from any particular network card. Found nothing. Next we changed to another IP address in our currently allocated block. No change in flooding. Asked for an allocation of different IP address block from ISP. Got run through the ringer by the ISP telling me that this was all my fault and that something on the internal network must be prompting this long list of machines in other countries to flood our network or that the firewall (non-ISA) is compromised. We're getting the new address block - he was supposed to deliver yesterday but didn't. I've already scanned each PC using spybot. I do not believe that there is anything internal causing this problem. Short of re-imaging every machine is there anything I can do to be certain? Amy ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tradtke@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx