RE: TCP: Syn Flooding Issue

• From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 22 Dec 2004 20:10:01 -0500

Yes, I looked those up too but I've got a list of IP's a mile long. They
don't all come from those two domains. Each IP shows up in the log a few
times in a row and then it switches to a new one. I'd be chasing my
tail, wouldn't I? It logged 16 unique IP address is one hour. The log
then starts to overwrite itself. How do these things work? Is it
generally a fixed number of IP's and then they start repeating. How
smart is the program that is generating this stuff? Will it just select
new IP's if I block those or will it give up and go away?

Amy
 
 
 

-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx] 
Sent: Wednesday, December 22, 2004 8:03 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: TCP: Syn Flooding Issue

http://www.ISAserver.org

 
12/22/04 21:02:38 IP block 220.141.51.234
Trying 220.141.51.234 at ARIN
Trying 220.141.51 at ARIN

OrgName:    Asia Pacific Network Information Centre 
OrgID:      APNIC
Address:    PO Box 2131
City:       Milton
StateProv:  QLD
PostalCode: 4064
Country:    AU

ReferralServer: whois://whois.apnic.net

NetRange:   220.0.0.0 - 220.255.255.255 
CIDR:       220.0.0.0/8 
NetName:    APNIC6
NetHandle:  NET-220-0-0-0-1
Parent:     
NetType:    Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS.RIPE.NET
NameServer: TINNIE.ARIN.NET
Comment:    This IP address range is not registered in the ARIN
database.
Comment:    For details, refer to the APNIC Whois Database via
Comment:    WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment:    ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment:    for the Asia Pacific region. APNIC does not operate networks
Comment:    using this IP address range and is not able to investigate
Comment:    spam or abuse reports relating to these addresses. For more
Comment:    help, refer to http://www.apnic.net/info/faq/abuse
Comment:    
RegDate:    
Updated:    2004-03-30

OrgTechHandle: AWC12-ARIN
OrgTechName:   APNIC Whois Contact 
OrgTechPhone:  +61 7 3858 3100
OrgTechEmail:  search-apnic-not-arin@xxxxxxxxx

# ARIN WHOIS database, last updated 2004-12-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

-----Original Message-----
From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, December 22, 2004 8:36 PM
To: ISA Mailing List
Subject: [isalist] TCP: Syn Flooding Issue

http://www.ISAserver.org

I've got an office with tcp syn flooding. It slows the internet down to
a crawl and makes accessing secure websites almost impossible. It has
this real estate office almost shut down.

The weird thing is that the tide goes out of this DOS attack everyday
around 4:00.  It just stops and then it starts up in the morning.

The logs show that the flood is coming from about a dozen IP addresses
on the Internet. But is it really? It seems to coincide with the end of
work day for about 1/2 of the staff. 

What's the best way to get rid of a tcp syn flood attack? Should I
assume that it's external and not triggered by an internal machine?

Wed, 12/22/2004 16:17:44 - TCP connection dropped - Source:66.178.17.36,
53263, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding'
Wed, 12/22/2004 16:17:44 - TCP connection dropped - Source:66.178.17.36,
53263, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding'
Wed, 12/22/2004 16:17:46 - TCP connection dropped - Source:66.178.17.36,
53263, WAN - Destination:66.178.207.200, 445, WAN - 'TCP:Syn Flooding'
Wed, 12/22/2004 16:18:26 - TCP connection dropped -
Source:220.141.51.234, 3040, WAN - Destination:66.178.207.200, 445, WAN
- 'TCP:Syn Flooding'
Wed, 12/22/2004 16:18:28 - TCP connection dropped -
Source:220.141.51.234, 3040, WAN - Destination:66.178.207.200, 445, WAN
- 'TCP:Syn Flooding'

FYI: The firewall isn't an ISA Server (working on them to change) and
there are 3 VPN connections to other offices on this firewall.

If I can get to the bottom of this I'll be the hero and then I can put
in some ISA servers. They really need them. They've got site-to-site
VPN's, RAS, and Exchange. The place is screaming ISA. 

Thanks,

Amy
 
 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

This E-Mail is confidential. It is not intended to be read, copied,
disclosed or used by any person other than the recipient named above.

Unauthorised use, disclosure, or copying is strictly prohibited and may
be unlawful. Optimum IT Solutions Ltd disclaims any liability for any
action taken in connection of this E-Mail. The comments or statements
expressed in this E-Mail are not necessarily those of Optimum IT
Solutions Ltd or its subsidiaries or affiliates.

administrator@xxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue
• » RE: TCP: Syn Flooding Issue

1. Home
2. isalist
3. Archive
4. 12-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---