RE: Syn Flood Update

From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
Date: Wed, 5 Jan 2005 10:41:01 -0800
Maybe time to run FileMon.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -----Original Message-----
> From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, January 05, 2005 10:37 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Syn Flood Update
> 
> http://www.ISAserver.org
> 
> Repeatedly. :(
> 
> Amy
> 
> 
> 
> 
> -----Original Message-----
> From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, January 05, 2005 1:31 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Syn Flood Update
> 
> http://www.ISAserver.org
> 
> Have you completely checked the server itself for everything, such as
> Spyware or Adware?
> 
> John Tolmachoff
> Engineer/Consultant/Owner
> eServices For You
> 
> 
> > -----Original Message-----
> > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
> > Sent: Wednesday, January 05, 2005 10:14 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Syn Flood Update
> >
> > http://www.ISAserver.org
> >
> > Yes, the problem does stop until I connect remotely, and then it will
> > log my IP as the source of tcp syn flood. If I gave you remote access,
> > it would show you as the source.
> >
> > I'm really stumped.
> >
> > Amy
> >
> >
> >
> > -----Original Message-----
> > From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
> > Sent: Wednesday, January 05, 2005 12:53 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Syn Flood Update
> >
> > http://www.ISAserver.org
> >
> > Amy, have you tried disconnecting the cable from the internal NIC and
> > checking to see if the problem continues?
> >
> > John Tolmachoff
> > Engineer/Consultant/Owner
> > eServices For You
> >
> >
> > > -----Original Message-----
> > > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
> > > Sent: Wednesday, January 05, 2005 9:41 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Syn Flood Update
> > >
> > > http://www.ISAserver.org
> > >
> > > Bad news. The IP address change did nothing. The firewall log is
> still
> > > completely full of tcp syn flooding. The strange thing is that I
> > noticed
> > > that when I log into the firewall remotely, it shows MY ip address
> as
> > > the source of the problem, along with a bunch of others. Could this
> be
> > a
> > > configuration problem in the ISP's router?
> > >
> > > Amy
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: josephk [mailto:josephk@xxxxxxxxx]
> > > Sent: Wednesday, January 05, 2005 10:17 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Syn Flood Update
> > >
> > > http://www.ISAserver.org
> > >
> > > Hi Amy,
> > >
> > > What internal software is being used? i.e.
> > > 1. SpamLion or other spam processing email program.
> > > 2. Any on borad NIC's? (check with vendor for driver updates)
> > > 3. http://www.emsisoft.com/en/ is another good Trojan scanner
> > >    I use a combination of tools
> > > 4.  Double check all the run, runex and runonce on each of the
> > machines.
> > >     I have a script that can read all the machines on the network
> and
> > > create
> > >     A report of those if you would like to give it a try just let me
> > > know.
> > >
> > > Joseph
> > > -----Original Message-----
> > > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
> > > Sent: Wednesday, January 05, 2005 5:54 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Syn Flood Update
> > >
> > > http://www.ISAserver.org
> > >
> > > Ran network monitor looking for high volume of packets coming from
> any
> > > particular network card. Found nothing.
> > >
> > > Next we changed to another IP address in our currently allocated
> > block.
> > > No change in flooding.
> > >
> > > Asked for an allocation of different IP address block from ISP. Got
> > run
> > > through the ringer by the ISP telling me that this was all my fault
> > and
> > > that something on the internal network must be prompting this long
> > list
> > > of machines in other countries to flood our network or that the
> > firewall
> > > (non-ISA) is compromised. We're getting the new address block - he
> was
> > > supposed to deliver yesterday but didn't. I've already scanned each
> PC
> > > using spybot. I do not believe that there is anything internal
> causing
> > > this problem. Short of re-imaging every machine is there anything I
> > can
> > > do to be certain?
> > >
> > > Amy
> > >
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > World of Windows Networking: http://www.windowsnetworking.com
> > > Leading Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Network Security Library: http://www.secinf.net/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > > josephk@xxxxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > World of Windows Networking: http://www.windowsnetworking.com
> > > Leading Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Network Security Library: http://www.secinf.net/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > > amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > World of Windows Networking: http://www.windowsnetworking.com
> > > Leading Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Network Security Library: http://www.secinf.net/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > > johnlist@xxxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > johnlist@xxxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
RE: Syn Flood Update

Other related posts:
