RE: TCP: Syn Flooding Issue

  • From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 23 Dec 2004 19:35:50 -0500

Already did run PestPatrol (my personal favorite at least until McAfee
gets in and messes it up) and it only found a few cookies, no smoking
guns. :(

Amy
 
 
 

-----Original Message-----
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, December 23, 2004 7:16 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: TCP: Syn Flooding Issue

http://www.ISAserver.org

Amy, run Spyware scanners on that computer. Chances are you will find
stuff.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -----Original Message-----
> From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
> Sent: Thursday, December 23, 2004 4:11 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: TCP: Syn Flooding Issue
> 
> http://www.ISAserver.org
> 
> I just inherited this client on Tuesday. Nothing like being under
fire!
> Today I ran network monitor for tcp and discovered that the reception
> computer was firing out 10 times more packets than the rest and no one
> was even logged into it. I powered it off and about 3/4 of the tcp syn
> flood reports from the firewall stopped immediately and the network
sped
> up dramatically. That machine is now sitting in a locked room all by
> itself, hopefully thinking about the bad things it's done. I'm still
not
> to the bottom of the issue but at least they can work now - well
except
> for the receptionist. Nothing unusual appeared to be running in task
> manager so I'm not sure if I'm looking at a bad nic or a worm. I
leaning
> toward worm even though I can't see it.
> 
> I haven't look much further than resolving issues of synchronization
and
> this flooding problem. But I believe that there may be DFS or at least
> off-line sync trying to happen. There are some errors in the logs on
> this topic on the server but I haven't looked at them closely yet.
> Something I need to know about DFS and 445? I thought that DFS was a
bad
> idea over a wan because it doesn't have a way to alert you of possible
> data change conflicts if the file was changed by two different people.
> 
> Amy
> 
> 
> 
> -----Original Message-----
> From: josephk [mailto:josephk@xxxxxxxxx]
> Sent: Thursday, December 23, 2004 4:06 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: TCP: Syn Flooding Issue
> 
> http://www.ISAserver.org
> 
> Hi Amy,
> 
> I still close down 445 for every machine except the AD boxes.
> And the machines actually don't get hit with the sync errors.
> Are your sites using DFS or anything like that?
> 
> Thank you,
> 
> Joseph
> 
> -----Original Message-----
> From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
> Sent: Thursday, December 23, 2004 5:38 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: TCP: Syn Flooding Issue
> 
> http://www.ISAserver.org
> 
> There is 1 server at each office. There are 4 office total. The
offices
> are connected over VPN.
> 
> Here's that section of the log.
> 
> Thur, 12/23/2004 05:40:16 - 445 dropped - Source:10.1.2.10, 6166, LAN
-
> Destination:10.1.4.10, 445, WAN
> 
> Thur, 12/23/2004 05:40:22 - 445 dropped - Source:10.1.2.10, 6169, LAN
-
> Destination:10.1.3.10, 445, WAN
> 
> Thur, 12/23/2004 05:40:22 - 445 dropped - Source:10.1.2.10, 6172, LAN
-
> Destination:10.1.1.10, 445, WAN
> 
> They only try once every 6 to 20 minutes so this isn't the clog. I was
> just wondering by blocking this what communications between the
servers
> am I preventing? I know that 445 is SMB but I don't know what domain
> functions are dependant on SMB besides network places browsing. Are
> there any?
> 
> Amy
> 
> 
> 
> Harbor Computer Services
> Small Business Computer Specialists
> 
> Office (248) 546-6056
> Mobile (248) 890-1794
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Thursday, December 23, 2004 8:26 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: TCP: Syn Flooding Issue
> 
> http://www.ISAserver.org
> 
> Hi Amy,
> 
> Which servers are trying to sync?
> 
> Where are the source and destination servers?
> 
> Thanks!
> 
> 
> Tom
> www.isaserver.org/shinder
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> 
> 
> -----Original Message-----
> From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
> Sent: Thursday, December 23, 2004 7:15 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: TCP: Syn Flooding Issue
> 
> http://www.ISAserver.org
> 
> I added the 445 port and then blocked it just so I could determine if
> there was any 445 traffic coming from inside. (Without the service
added
> the firewall doesn't log anything from an internal address.) Overnight
I
> see that the servers are trying to communicate using 445 once every 15
> minutes and only once to each server. This looks like an active
> directory sync. If I continue to block 445 will the servers still be
> able to sync with each other?
> 
> Amy
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, December 22, 2004 10:19 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: TCP: Syn Flooding Issue
> 
> http://www.ISAserver.org
> 
> Hi Joseph,
> 
> I'm guessing the problem isn't that the connections are overtaxing the
> firewall, but that the customer's end of the pipe is full with what is
> essentially a DDoS. The *only* was to solve the DDoS issue is by
having
> the ISP block the connections from the fat end of the pipe, 'cause
> there's nothing you can do on your end. The ISP can block via IP
address
> (which gettings pretty hard with DDoS's) but much easier if they're
all
> going for the same port.
> 
> 
> Tom
> www.isaserver.org/shinder
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> 
> 
> -----Original Message-----
> From: josephk [mailto:josephk@xxxxxxxxx]
> Sent: Wednesday, December 22, 2004 7:22 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: TCP: Syn Flooding Issue
> 
> http://www.ISAserver.org
> 
> Hi Amy,
> 
> What kind of firewall?  Watchguard or something like that?
> If, it's watchguard you can bock the incoming 445 from
> The VPN connections and that should eliminate most
> Of the strange hits.
> 
> Joseph
> 
> -----Original Message-----
> From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, December 22, 2004 4:36 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] TCP: Syn Flooding Issue
> 
> http://www.ISAserver.org
> 
> I've got an office with tcp syn flooding. It slows the internet down
to
> a crawl and makes accessing secure websites almost impossible. It has
> this real estate office almost shut down.
> 
> The weird thing is that the tide goes out of this DOS attack everyday
> around 4:00.  It just stops and then it starts up in the morning.
> 
> The logs show that the flood is coming from about a dozen IP addresses
> on the Internet. But is it really? It seems to coincide with the end
of
> work day for about 1/2 of the staff.
> 
> What's the best way to get rid of a tcp syn flood attack? Should I
> assume that it's external and not triggered by an internal machine?
> 
> Wed, 12/22/2004 16:17:44 - TCP connection dropped -
Source:66.178.17.36,
> 53263, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding'
> Wed, 12/22/2004 16:17:44 - TCP connection dropped -
Source:66.178.17.36,
> 53263, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding'
> Wed, 12/22/2004 16:17:46 - TCP connection dropped -
Source:66.178.17.36,
> 53263, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding'
> Wed, 12/22/2004 16:18:26 - TCP connection dropped -
> Source:220.141.51.234, 3040, WAN - Destination:66.178.207.200, 445,
WAN
> - 'TCP:Syn Flooding'
> Wed, 12/22/2004 16:18:28 - TCP connection dropped -
> Source:220.141.51.234, 3040, WAN - Destination:66.178.207.200, 445,
WAN
> - 'TCP:Syn Flooding'
> 
> FYI: The firewall isn't an ISA Server (working on them to change) and
> there are 3 VPN connections to other offices on this firewall.
> 
> If I can get to the bottom of this I'll be the hero and then I can put
> in some ISA servers. They really need them. They've got site-to-site
> VPN's, RAS, and Exchange. The place is screaming ISA.
> 
> Thanks,
> 
> Amy
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> josephk@xxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> josephk@xxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 12-2004