RE: TCP: Syn Flooding Issue

  • From: "Steve Moffat" <steve@xxxxxxxxxx>
  • To: "ISA Mailing List" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 22 Dec 2004 21:02:22 -0400

 12/22/04 21:01:47 IP block 66.178.17.36
Trying 66.178.17.36 at ARIN
Trying 66.178.17 at ARIN

OrgName:    New Skies Satellites N.V. 
OrgID:      NWSK
Address:    8000 Gainsford Ct
City:       Bristow
StateProv:  VA
PostalCode: 20136
Country:    US

NetRange:   66.178.0.0 - 66.178.127.255 
CIDR:       66.178.0.0/17 
NetName:    NSS-NETBLOCK-3
NetHandle:  NET-66-178-0-0-1
Parent:     NET-66-0-0-0-0
NetType:    Direct Allocation
NameServer: NS.NEWSKIES.NET
NameServer: NS2.NEWSKIES.NET
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    2001-10-10
Updated:    2004-07-27

TechHandle: ZN39-ARIN
TechName:   New Skies Satellites 
TechPhone:  +1-703-330-3305
TechEmail:  nssipserv@xxxxxxxxxxxx 

OrgAbuseHandle: ABUSE128-ARIN
OrgAbuseName:   Abuse 
OrgAbusePhone:  +1-703-330-3305
OrgAbuseEmail:  abuse@xxxxxxxxxxxx

OrgTechHandle: BSM18-ARIN
OrgTechName:   Smith, Bob 
OrgTechPhone:  +1-703-367-7300
OrgTechEmail:  rwsmith@xxxxxxxxxxxx

OrgTechHandle: NOC284-ARIN
OrgTechName:   NOC 
OrgTechPhone:  +1-703-330-3305
OrgTechEmail:  noc@xxxxxxxxxxxx

OrgTechHandle: PNG3-ARIN
OrgTechName:   Nguenkam, Pascal 
OrgTechPhone:  +1-703-330-3305
OrgTechEmail:  pnguenkam@xxxxxxxxxxxx

OrgTechHandle: JGR26-ARIN
OrgTechName:   Greenhalgh, John 
OrgTechPhone:  +1-703-330-3305
OrgTechEmail:  jgreenhalgh@xxxxxxxxxxxx

OrgTechHandle: SCO14-ARIN
OrgTechName:   Cooper, Steve 
OrgTechPhone:  +1-703-330-3305
OrgTechEmail:  scooper@xxxxxxxxxxxx

# ARIN WHOIS database, last updated 2004-12-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


-----Original Message-----
From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, December 22, 2004 8:36 PM
To: ISA Mailing List
Subject: [isalist] TCP: Syn Flooding Issue

http://www.ISAserver.org

I've got an office with tcp syn flooding. It slows the internet down to
a crawl and makes accessing secure websites almost impossible. It has
this real estate office almost shut down.

The weird thing is that the tide goes out of this DOS attack everyday
around 4:00.  It just stops and then it starts up in the morning.

The logs show that the flood is coming from about a dozen IP addresses
on the Internet. But is it really? It seems to coincide with the end of
work day for about 1/2 of the staff. 

What's the best way to get rid of a tcp syn flood attack? Should I
assume that it's external and not triggered by an internal machine?

Wed, 12/22/2004 16:17:44 - TCP connection dropped - Source:66.178.17.36,
53263, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding'
Wed, 12/22/2004 16:17:44 - TCP connection dropped - Source:66.178.17.36,
53263, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding'
Wed, 12/22/2004 16:17:46 - TCP connection dropped - Source:66.178.17.36,
53263, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding'
Wed, 12/22/2004 16:18:26 - TCP connection dropped -
Source:220.141.51.234, 3040, WAN - Destination:66.178.207.200, 445, WAN
- 'TCP:Syn Flooding'
Wed, 12/22/2004 16:18:28 - TCP connection dropped -
Source:220.141.51.234, 3040, WAN - Destination:66.178.207.200, 445, WAN
- 'TCP:Syn Flooding'

FYI: The firewall isn't an ISA Server (working on them to change) and
there are 3 VPN connections to other offices on this firewall.

If I can get to the bottom of this I'll be the hero and then I can put
in some ISA servers. They really need them. They've got site-to-site
VPN's, RAS, and Exchange. The place is screaming ISA. 

Thanks,

Amy
 
 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

This E-Mail is confidential. It is not intended to be read, copied, disclosed 
or used by any person other than the recipient named above.

Unauthorised use, disclosure, or copying is strictly prohibited and may be 
unlawful. Optimum IT Solutions Ltd disclaims any liability for any action taken 
in connection of this E-Mail. The comments or statements expressed in this 
E-Mail are not necessarily those of Optimum IT Solutions Ltd or its 
subsidiaries or affiliates.

administrator@xxxxxxxxxx

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 12-2004