Maybe time to run FileMon. John Tolmachoff Engineer/Consultant/Owner eServices For You > -----Original Message----- > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] > Sent: Wednesday, January 05, 2005 10:37 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Syn Flood Update > > http://www.ISAserver.org > > Repeatedly. :( > > Amy > > > > > -----Original Message----- > From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] > Sent: Wednesday, January 05, 2005 1:31 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Syn Flood Update > > http://www.ISAserver.org > > Have you completely checked the server itself for everything, such as > Spyware or Adware? > > John Tolmachoff > Engineer/Consultant/Owner > eServices For You > > > > -----Original Message----- > > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] > > Sent: Wednesday, January 05, 2005 10:14 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Syn Flood Update > > > > http://www.ISAserver.org > > > > Yes, the problem does stop until I connect remotely, and then it will > > log my IP as the source of tcp syn flood. If I gave you remote access, > > it would show you as the source. > > > > I'm really stumped. > > > > Amy > > > > > > > > -----Original Message----- > > From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] > > Sent: Wednesday, January 05, 2005 12:53 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Syn Flood Update > > > > http://www.ISAserver.org > > > > Amy, have you tried disconnecting the cable from the internal NIC and > > checking to see if the problem continues? > > > > John Tolmachoff > > Engineer/Consultant/Owner > > eServices For You > > > > > > > -----Original Message----- > > > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] > > > Sent: Wednesday, January 05, 2005 9:41 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: Syn Flood Update > > > > > > http://www.ISAserver.org > > > > > > Bad news. The IP address change did nothing. The firewall log is > still > > > completely full of tcp syn flooding. The strange thing is that I > > noticed > > > that when I log into the firewall remotely, it shows MY ip address > as > > > the source of the problem, along with a bunch of others. Could this > be > > a > > > configuration problem in the ISP's router? > > > > > > Amy > > > > > > > > > > > > > > > -----Original Message----- > > > From: josephk [mailto:josephk@xxxxxxxxx] > > > Sent: Wednesday, January 05, 2005 10:17 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: Syn Flood Update > > > > > > http://www.ISAserver.org > > > > > > Hi Amy, > > > > > > What internal software is being used? i.e. > > > 1. SpamLion or other spam processing email program. > > > 2. Any on borad NIC's? (check with vendor for driver updates) > > > 3. http://www.emsisoft.com/en/ is another good Trojan scanner > > > I use a combination of tools > > > 4. Double check all the run, runex and runonce on each of the > > machines. > > > I have a script that can read all the machines on the network > and > > > create > > > A report of those if you would like to give it a try just let me > > > know. > > > > > > Joseph > > > -----Original Message----- > > > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] > > > Sent: Wednesday, January 05, 2005 5:54 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] Syn Flood Update > > > > > > http://www.ISAserver.org > > > > > > Ran network monitor looking for high volume of packets coming from > any > > > particular network card. Found nothing. > > > > > > Next we changed to another IP address in our currently allocated > > block. > > > No change in flooding. > > > > > > Asked for an allocation of different IP address block from ISP. Got > > run > > > through the ringer by the ISP telling me that this was all my fault > > and > > > that something on the internal network must be prompting this long > > list > > > of machines in other countries to flood our network or that the > > firewall > > > (non-ISA) is compromised. We're getting the new address block - he > was > > > supposed to deliver yesterday but didn't. I've already scanned each > PC > > > using spybot. I do not believe that there is anything internal > causing > > > this problem. Short of re-imaging every machine is there anything I > > can > > > do to be certain? > > > > > > Amy > > > > > > > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > World of Windows Networking: http://www.windowsnetworking.com > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List > as: > > > josephk@xxxxxxxxxxxxxxxxx > > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > World of Windows Networking: http://www.windowsnetworking.com > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List > as: > > > amy@xxxxxxxxxxxxxxxxxxxxxxxxxx > > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > World of Windows Networking: http://www.windowsnetworking.com > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List > as: > > > johnlist@xxxxxxxxxxxxxxxxxxx > > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > World of Windows Networking: http://www.windowsnetworking.com > > Leading Network Software Directory: http://www.serverfiles.com > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Network Security Library: http://www.secinf.net/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > > amy@xxxxxxxxxxxxxxxxxxxxxxxxxx > > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > World of Windows Networking: http://www.windowsnetworking.com > > Leading Network Software Directory: http://www.serverfiles.com > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Network Security Library: http://www.secinf.net/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > > johnlist@xxxxxxxxxxxxxxxxxxx > > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > amy@xxxxxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > johnlist@xxxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx