Already did run PestPatrol (my personal favorite at least until McAfee gets in and messes it up) and it only found a few cookies, no smoking guns. :( Amy -----Original Message----- From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] Sent: Thursday, December 23, 2004 7:16 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: TCP: Syn Flooding Issue http://www.ISAserver.org Amy, run Spyware scanners on that computer. Chances are you will find stuff. John Tolmachoff Engineer/Consultant/Owner eServices For You > -----Original Message----- > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] > Sent: Thursday, December 23, 2004 4:11 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: TCP: Syn Flooding Issue > > http://www.ISAserver.org > > I just inherited this client on Tuesday. Nothing like being under fire! > Today I ran network monitor for tcp and discovered that the reception > computer was firing out 10 times more packets than the rest and no one > was even logged into it. I powered it off and about 3/4 of the tcp syn > flood reports from the firewall stopped immediately and the network sped > up dramatically. That machine is now sitting in a locked room all by > itself, hopefully thinking about the bad things it's done. I'm still not > to the bottom of the issue but at least they can work now - well except > for the receptionist. Nothing unusual appeared to be running in task > manager so I'm not sure if I'm looking at a bad nic or a worm. I leaning > toward worm even though I can't see it. > > I haven't look much further than resolving issues of synchronization and > this flooding problem. But I believe that there may be DFS or at least > off-line sync trying to happen. There are some errors in the logs on > this topic on the server but I haven't looked at them closely yet. > Something I need to know about DFS and 445? I thought that DFS was a bad > idea over a wan because it doesn't have a way to alert you of possible > data change conflicts if the file was changed by two different people. > > Amy > > > > -----Original Message----- > From: josephk [mailto:josephk@xxxxxxxxx] > Sent: Thursday, December 23, 2004 4:06 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: TCP: Syn Flooding Issue > > http://www.ISAserver.org > > Hi Amy, > > I still close down 445 for every machine except the AD boxes. > And the machines actually don't get hit with the sync errors. > Are your sites using DFS or anything like that? > > Thank you, > > Joseph > > -----Original Message----- > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] > Sent: Thursday, December 23, 2004 5:38 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: TCP: Syn Flooding Issue > > http://www.ISAserver.org > > There is 1 server at each office. There are 4 office total. The offices > are connected over VPN. > > Here's that section of the log. > > Thur, 12/23/2004 05:40:16 - 445 dropped - Source:10.1.2.10, 6166, LAN - > Destination:10.1.4.10, 445, WAN > > Thur, 12/23/2004 05:40:22 - 445 dropped - Source:10.1.2.10, 6169, LAN - > Destination:10.1.3.10, 445, WAN > > Thur, 12/23/2004 05:40:22 - 445 dropped - Source:10.1.2.10, 6172, LAN - > Destination:10.1.1.10, 445, WAN > > They only try once every 6 to 20 minutes so this isn't the clog. I was > just wondering by blocking this what communications between the servers > am I preventing? I know that 445 is SMB but I don't know what domain > functions are dependant on SMB besides network places browsing. Are > there any? > > Amy > > > > Harbor Computer Services > Small Business Computer Specialists > > Office (248) 546-6056 > Mobile (248) 890-1794 > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Thursday, December 23, 2004 8:26 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: TCP: Syn Flooding Issue > > http://www.ISAserver.org > > Hi Amy, > > Which servers are trying to sync? > > Where are the source and destination servers? > > Thanks! > > > Tom > www.isaserver.org/shinder > Tom and Deb Shinder's Configuring ISA Server 2004 > http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > -----Original Message----- > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] > Sent: Thursday, December 23, 2004 7:15 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: TCP: Syn Flooding Issue > > http://www.ISAserver.org > > I added the 445 port and then blocked it just so I could determine if > there was any 445 traffic coming from inside. (Without the service added > the firewall doesn't log anything from an internal address.) Overnight I > see that the servers are trying to communicate using 445 once every 15 > minutes and only once to each server. This looks like an active > directory sync. If I continue to block 445 will the servers still be > able to sync with each other? > > Amy > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, December 22, 2004 10:19 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: TCP: Syn Flooding Issue > > http://www.ISAserver.org > > Hi Joseph, > > I'm guessing the problem isn't that the connections are overtaxing the > firewall, but that the customer's end of the pipe is full with what is > essentially a DDoS. The *only* was to solve the DDoS issue is by having > the ISP block the connections from the fat end of the pipe, 'cause > there's nothing you can do on your end. The ISP can block via IP address > (which gettings pretty hard with DDoS's) but much easier if they're all > going for the same port. > > > Tom > www.isaserver.org/shinder > Tom and Deb Shinder's Configuring ISA Server 2004 > http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > -----Original Message----- > From: josephk [mailto:josephk@xxxxxxxxx] > Sent: Wednesday, December 22, 2004 7:22 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: TCP: Syn Flooding Issue > > http://www.ISAserver.org > > Hi Amy, > > What kind of firewall? Watchguard or something like that? > If, it's watchguard you can bock the incoming 445 from > The VPN connections and that should eliminate most > Of the strange hits. > > Joseph > > -----Original Message----- > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] > Sent: Wednesday, December 22, 2004 4:36 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] TCP: Syn Flooding Issue > > http://www.ISAserver.org > > I've got an office with tcp syn flooding. It slows the internet down to > a crawl and makes accessing secure websites almost impossible. It has > this real estate office almost shut down. > > The weird thing is that the tide goes out of this DOS attack everyday > around 4:00. It just stops and then it starts up in the morning. > > The logs show that the flood is coming from about a dozen IP addresses > on the Internet. But is it really? It seems to coincide with the end of > work day for about 1/2 of the staff. > > What's the best way to get rid of a tcp syn flood attack? Should I > assume that it's external and not triggered by an internal machine? > > Wed, 12/22/2004 16:17:44 - TCP connection dropped - Source:66.178.17.36, > 53263, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding' > Wed, 12/22/2004 16:17:44 - TCP connection dropped - Source:66.178.17.36, > 53263, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding' > Wed, 12/22/2004 16:17:46 - TCP connection dropped - Source:66.178.17.36, > 53263, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding' > Wed, 12/22/2004 16:18:26 - TCP connection dropped - > Source:220.141.51.234, 3040, WAN - Destination:66.178.207.200, 445, WAN > - 'TCP:Syn Flooding' > Wed, 12/22/2004 16:18:28 - TCP connection dropped - > Source:220.141.51.234, 3040, WAN - Destination:66.178.207.200, 445, WAN > - 'TCP:Syn Flooding' > > FYI: The firewall isn't an ISA Server (working on them to change) and > there are 3 VPN connections to other offices on this firewall. > > If I can get to the bottom of this I'll be the hero and then I can put > in some ISA servers. They really need them. They've got site-to-site > VPN's, RAS, and Exchange. The place is screaming ISA. > > Thanks, > > Amy > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > josephk@xxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > amy@xxxxxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > amy@xxxxxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > josephk@xxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > amy@xxxxxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > johnlist@xxxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx