I've got an office with tcp syn flooding. It slows the internet down to a crawl and makes accessing secure websites almost impossible. It has this real estate office almost shut down. The weird thing is that the tide goes out of this DOS attack everyday around 4:00. It just stops and then it starts up in the morning. The logs show that the flood is coming from about a dozen IP addresses on the Internet. But is it really? It seems to coincide with the end of work day for about 1/2 of the staff. What's the best way to get rid of a tcp syn flood attack? Should I assume that it's external and not triggered by an internal machine? Wed, 12/22/2004 16:17:44 - TCP connection dropped - Source:66.178.17.36, 53263, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding' Wed, 12/22/2004 16:17:44 - TCP connection dropped - Source:66.178.17.36, 53263, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding' Wed, 12/22/2004 16:17:46 - TCP connection dropped - Source:66.178.17.36, 53263, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding' Wed, 12/22/2004 16:18:26 - TCP connection dropped - Source:220.141.51.234, 3040, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding' Wed, 12/22/2004 16:18:28 - TCP connection dropped - Source:220.141.51.234, 3040, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding' FYI: The firewall isn't an ISA Server (working on them to change) and there are 3 VPN connections to other offices on this firewall. If I can get to the bottom of this I'll be the hero and then I can put in some ISA servers. They really need them. They've got site-to-site VPN's, RAS, and Exchange. The place is screaming ISA. Thanks, Amy