RE: TCP: Syn Flooding Issue
- From: "Steve Moffat" <steve@xxxxxxxxxx>
- To: "ISA Mailing List" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 22 Dec 2004 21:04:49 -0400
Query the APNIC Whois Database
Need help?
General search help
Help tracking spam and hacking
To assist you with debugging problems, this whois query was received
from IP Address [ 65.200.172.140 ]. Your web client may be behind a web
proxy.
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 220.129.0.0 - 220.143.255.255
netname: HINET-NET
country: TW
descr: CHTD, Chunghwa Telecom Co.,Ltd.
descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
descr: Taipei Taiwan 100
admin-c: HN27-AP
tech-c: HN28-AP
status: ALLOCATED PORTABLE
changed: hostmaster@xxxxxxxxx 20030611
mnt-by: MAINT-TW-TWNIC
source: APNIC
person: HINET Network-Adm
address: CHTD, Chunghwa Telecom Co., Ltd.
address: Data-Bldg. 6F, No. 21, Sec. 21, Hsin-Yi Rd.,
address: Taipei Taiwan 100
country: TW
phone: +886 2 2322 3495
phone: +886 2 2322 3442
phone: +886 2 2344 3007
fax-no: +886 2 2344 2513
fax-no: +886 2 2395 5671
e-mail: network-adm@xxxxxxxxx
nic-hdl: HN27-AP
remarks: same as TWNIC nic-handle HN184-TW
mnt-by: MAINT-TW-TWNIC
changed: hostmaster@xxxxxxxxx 20000721
source: APNIC
person: HINET Network-Center
address: CHTD, Chunghwa Telecom Co., Ltd.
address: Data-Bldg. 6F, No. 21, Sec. 21, Hsin-Yi Rd.,
address: Taipei Taiwan 100
country: TW
phone: +886 2 2322 3495
phone: +886 2 2322 3442
phone: +886 2 2344 3007
fax-no: +886 2 2344 2513
fax-no: +886 2 2395 5671
e-mail: network-center@xxxxxxxxx
nic-hdl: HN28-AP
remarks: same as TWNIC nic-handle HN185-TW
mnt-by: MAINT-TW-TWNIC
changed: hostmaster@xxxxxxxxx 20000721
source: APNIC
inetnum: 220.141.0.0 - 220.141.255.255
netname: HINET-NET
descr: CHTD, Chunghwa Telecom Co., Ltd.
descr: Data-Bldg. 6F, No. 21, Sec. 21, Hsin-Yi Rd.,
descr: Taipei Taiwan
country: TW
admin-c: CYK-TW
tech-c: CYK-TW
mnt-by: MAINT-TW-TWNIC
remarks: This information has been partially mirrored by APNIC from
remarks: TWNIC. To obtain more specific information, please use the
remarks: TWNIC whois server at whois.twnic.net.
changed: fkchung@xxxxxxxxxxxxx 20030610
status: ASSIGNED NON-PORTABLE
source: TWNIC
person: Chung Yung Kang
address: Chunghwa Telecom Data communication Business Group
address: No.21, Hsin-Yi Rd., sec. 1
address: Taipei Taiwan
country: TW
phone: +886-2-2322-3442
fax-no: +886-2-2344-2513
e-mail: cykang@xxxxxxxxxxxxx
nic-hdl: CYK-TW
remarks: This information has been partially mirrored by APNIC from
remarks: TWNIC. To obtain more specific information, please use the
remarks: TWNIC whois server at whois.twnic.net.
changed: hostmaster@xxxxxxxxx 19990924
source: TWNIC
-----Original Message-----
From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, December 22, 2004 8:36 PM
To: ISA Mailing List
Subject: [isalist] TCP: Syn Flooding Issue
http://www.ISAserver.org
I've got an office with tcp syn flooding. It slows the internet down to
a crawl and makes accessing secure websites almost impossible. It has
this real estate office almost shut down.
The weird thing is that the tide goes out of this DOS attack everyday
around 4:00. It just stops and then it starts up in the morning.
The logs show that the flood is coming from about a dozen IP addresses
on the Internet. But is it really? It seems to coincide with the end of
work day for about 1/2 of the staff.
What's the best way to get rid of a tcp syn flood attack? Should I
assume that it's external and not triggered by an internal machine?
Wed, 12/22/2004 16:17:44 - TCP connection dropped - Source:66.178.17.36,
53263, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding'
Wed, 12/22/2004 16:17:44 - TCP connection dropped - Source:66.178.17.36,
53263, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding'
Wed, 12/22/2004 16:17:46 - TCP connection dropped - Source:66.178.17.36,
53263, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding'
Wed, 12/22/2004 16:18:26 - TCP connection dropped -
Source:220.141.51.234, 3040, WAN - Destination:66.178.207.200, 445, WAN
- 'TCP:Syn Flooding'
Wed, 12/22/2004 16:18:28 - TCP connection dropped -
Source:220.141.51.234, 3040, WAN - Destination:66.178.207.200, 445, WAN
- 'TCP:Syn Flooding'
FYI: The firewall isn't an ISA Server (working on them to change) and
there are 3 VPN connections to other offices on this firewall.
If I can get to the bottom of this I'll be the hero and then I can put
in some ISA servers. They really need them. They've got site-to-site
VPN's, RAS, and Exchange. The place is screaming ISA.
Thanks,
Amy
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
This E-Mail is confidential. It is not intended to be read, copied, disclosed
or used by any person other than the recipient named above.
Unauthorised use, disclosure, or copying is strictly prohibited and may be
unlawful. Optimum IT Solutions Ltd disclaims any liability for any action taken
in connection of this E-Mail. The comments or statements expressed in this
E-Mail are not necessarily those of Optimum IT Solutions Ltd or its
subsidiaries or affiliates.
administrator@xxxxxxxxxx
Other related posts:
