I have sync flood attack on the network, how can i find out where this is coming from ? as it goes till our ISP and they say its random IP and MAC address, so they can also not pin point it.
any method to stop it, and search from which pc / server its coming from.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
thanks for the quick responce, we are an ISP, and do not have firewall, as clients do not like to be firewalled. The problem is the sync flood is going till our upstream provider, and they are complaining on this. so we ahve to find these infected clients and get them sorted. so the infected client would be sending loads of data right ? is there a IDS we can construct to monitor these ? or anythign on cisco which could help us to minimize these attacks going out.
If you do have Cisco equipment, I would consider enabling Netflow on your Cisco routers to collect flow data. This should help identify the traffic in question. You can view the data directly from the Cisco router or export the data to a Netflow collector. You can find directions, and a Netflow collector, at http://www.manageengine.co
Mike
If you obtain a firewall from your ISP, then you'll be limited to what solutions they offer you. You should also have the option of purchasing your own firewall and integrating it with your ISP line. What type of firewall or brand usually depends on the size of your environment and how much budget you have for a firewall. Most small environments can effectively use a Linksys router/firewall to keep themselves effectively protected.
Business Accounts
Answer for Membership
by: MikeHolcombPosted on 2009-10-29 at 08:35:00ID: 25694845
It sounds like they're referring to a SYN Flood attack (http://en.wikipedia.org/w
Do you have a firewall at this location? If so, you could use the firewall to watch for outbound traffic from all of your internal hosts. The infected/attacking system should appear as the internal host generating the most traffic. Your ISP should also be able to give you additional clues as to the destination IP addresses that the host is attacking to help you filter through the firewall activity more effectively.
Hope this helps...
Mike