RE: Syn Flood Update

• From: "Ruba Al Omari" <romari@xxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 6 Jan 2005 09:25:25 +0300

Hi Amy,

Do you have an email server in your network that has its traffic going
through this connection? If yes please try creating another instance of
the SMTP virtual server. 
One time we had a client with a similar situation who we scanned his
email server using online virus scanner even, and it was clean and the
queue was clean, and he was not an open relay, but only when we created
a new SMTP instance and stopped the old instance did the traffic stop
(which took 2 minutes in oppose to hours we spent in troubleshooting),
its something inside the system that is triggering this traffic.

Do you have ACL at your router? And the ISP has ACL at their end of the
router? Because even if you have it and the ISP doesn't it will be of no
use if the traffic already used the band width from the ISP to you.

Good luck
r.

 -----Original Message-----
From: TRadtke@xxxxxxxxxxxx [mailto:TRadtke@xxxxxxxxxxxx] 
Sent: Wednesday, January 05, 2005 10:09 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Syn Flood Update

http://www.ISAserver.org

Your firewall system.  It stands to reason that since any incoming
system
shows up in the logs with syn floods that maybe the system is not
handling
the protocol correctly.

-----Original Message-----
From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, January 05, 2005 12:49 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Syn Flood Update


http://www.ISAserver.org

Which system? 

Amy
 
 
-----Original Message-----
From: TRadtke@xxxxxxxxxxxx [mailto:TRadtke@xxxxxxxxxxxx] 
Sent: Wednesday, January 05, 2005 1:43 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Syn Flood Update

http://www.ISAserver.org

Have you tried reloading TCP/IP on the system in case you have an issue
with
a corrupt stack?

-----Original Message-----
From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, January 05, 2005 12:37 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Syn Flood Update


http://www.ISAserver.org

Repeatedly. :(

Amy
 
 
 

-----Original Message-----
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, January 05, 2005 1:31 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Syn Flood Update

http://www.ISAserver.org

Have you completely checked the server itself for everything, such as
Spyware or Adware?

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -----Original Message-----
> From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, January 05, 2005 10:14 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Syn Flood Update
> 
> http://www.ISAserver.org
> 
> Yes, the problem does stop until I connect remotely, and then it will
> log my IP as the source of tcp syn flood. If I gave you remote access,
> it would show you as the source.
> 
> I'm really stumped.
> 
> Amy
> 
> 
> 
> -----Original Message-----
> From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, January 05, 2005 12:53 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Syn Flood Update
> 
> http://www.ISAserver.org
> 
> Amy, have you tried disconnecting the cable from the internal NIC and
> checking to see if the problem continues?
> 
> John Tolmachoff
> Engineer/Consultant/Owner
> eServices For You
> 
> 
> > -----Original Message-----
> > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
> > Sent: Wednesday, January 05, 2005 9:41 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Syn Flood Update
> >
> > http://www.ISAserver.org
> >
> > Bad news. The IP address change did nothing. The firewall log is
still
> > completely full of tcp syn flooding. The strange thing is that I
> noticed
> > that when I log into the firewall remotely, it shows MY ip address
as
> > the source of the problem, along with a bunch of others. Could this
be
> a
> > configuration problem in the ISP's router?
> >
> > Amy
> >
> >
> >
> >
> > -----Original Message-----
> > From: josephk [mailto:josephk@xxxxxxxxx]
> > Sent: Wednesday, January 05, 2005 10:17 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Syn Flood Update
> >
> > http://www.ISAserver.org
> >
> > Hi Amy,
> >
> > What internal software is being used? i.e.
> > 1. SpamLion or other spam processing email program.
> > 2. Any on borad NIC's? (check with vendor for driver updates)
> > 3. http://www.emsisoft.com/en/ is another good Trojan scanner
> >    I use a combination of tools
> > 4.  Double check all the run, runex and runonce on each of the
> machines.
> >     I have a script that can read all the machines on the network
and
> > create
> >     A report of those if you would like to give it a try just let me
> > know.
> >
> > Joseph
> > -----Original Message-----
> > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
> > Sent: Wednesday, January 05, 2005 5:54 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Syn Flood Update
> >
> > http://www.ISAserver.org
> >
> > Ran network monitor looking for high volume of packets coming from
any
> > particular network card. Found nothing.
> >
> > Next we changed to another IP address in our currently allocated
> block.
> > No change in flooding.
> >
> > Asked for an allocation of different IP address block from ISP. Got
> run
> > through the ringer by the ISP telling me that this was all my fault
> and
> > that something on the internal network must be prompting this long
> list
> > of machines in other countries to flood our network or that the
> firewall
> > (non-ISA) is compromised. We're getting the new address block - he
was
> > supposed to deliver yesterday but didn't. I've already scanned each
PC
> > using spybot. I do not believe that there is anything internal
causing
> > this problem. Short of re-imaging every machine is there anything I
> can
> > do to be certain?
> >
> > Amy
> >
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> > josephk@xxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> > amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> > johnlist@xxxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tradtke@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tradtke@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
romari@xxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Syn Flood Update
• » RE: Syn Flood Update
• » RE: Syn Flood Update
• » RE: Syn Flood Update
• » RE: Syn Flood Update
• » RE: Syn Flood Update
• » RE: Syn Flood Update
• » RE: Syn Flood Update
• » RE: Syn Flood Update
• » RE: Syn Flood Update
• » RE: Syn Flood Update
• » RE: Syn Flood Update
• » RE: Syn Flood Update
• » RE: Syn Flood Update
• » RE: Syn Flood Update
• » RE: Syn Flood Update
• » RE: Syn Flood Update

1. Home
2. isalist
3. Archive
4. 01-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---