RE: Syn Flood Update
- From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 5 Jan 2005 09:52:51 -0800
Amy, have you tried disconnecting the cable from the internal NIC and
checking to see if the problem continues?
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
> -----Original Message-----
> From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, January 05, 2005 9:41 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Syn Flood Update
>
> http://www.ISAserver.org
>
> Bad news. The IP address change did nothing. The firewall log is still
> completely full of tcp syn flooding. The strange thing is that I noticed
> that when I log into the firewall remotely, it shows MY ip address as
> the source of the problem, along with a bunch of others. Could this be a
> configuration problem in the ISP's router?
>
> Amy
>
>
>
>
> -----Original Message-----
> From: josephk [mailto:josephk@xxxxxxxxx]
> Sent: Wednesday, January 05, 2005 10:17 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Syn Flood Update
>
> http://www.ISAserver.org
>
> Hi Amy,
>
> What internal software is being used? i.e.
> 1. SpamLion or other spam processing email program.
> 2. Any on borad NIC's? (check with vendor for driver updates)
> 3. http://www.emsisoft.com/en/ is another good Trojan scanner
> I use a combination of tools
> 4. Double check all the run, runex and runonce on each of the machines.
> I have a script that can read all the machines on the network and
> create
> A report of those if you would like to give it a try just let me
> know.
>
> Joseph
> -----Original Message-----
> From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, January 05, 2005 5:54 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Syn Flood Update
>
> http://www.ISAserver.org
>
> Ran network monitor looking for high volume of packets coming from any
> particular network card. Found nothing.
>
> Next we changed to another IP address in our currently allocated block.
> No change in flooding.
>
> Asked for an allocation of different IP address block from ISP. Got run
> through the ringer by the ISP telling me that this was all my fault and
> that something on the internal network must be prompting this long list
> of machines in other countries to flood our network or that the firewall
> (non-ISA) is compromised. We're getting the new address block - he was
> supposed to deliver yesterday but didn't. I've already scanned each PC
> using spybot. I do not believe that there is anything internal causing
> this problem. Short of re-imaging every machine is there anything I can
> do to be certain?
>
> Amy
>
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> josephk@xxxxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
