?
Solved

Syn Flood attacks

Posted on 2006-06-07
7
Medium Priority
?
675 Views
Last Modified: 2010-03-19
My Sonicwall is getting "Syn Flood Attack" alerts.  I think that I know what this is but I dont know how to prevent it.  I think that it is making my web server slow.  If someone knows a solution please share it with me
Jared
0
Comment
Question by:jared_goff
  • 3
  • 2
5 Comments
 
LVL 16

Expert Comment

by:The--Captain
ID: 16859346
A sniffer in front of the sonicwall should reveal if this is just normal background noise or actual traffic with which you should be concerned.

Cheers,
-Jon
0
 

Author Comment

by:jared_goff
ID: 16862666
Any suggestiong a easy to use sniffer?  I don't have any experience working with one.
Jared
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 16864719
Ethereal seems fairly popular...

Cheers,
-Jon
0
 

Author Comment

by:jared_goff
ID: 16867090
I downloaded and installed Ethereal.  Makes little sense to me.   When you say just normal background noise and actual traffic. How would I know the difference?
0
 
LVL 16

Accepted Solution

by:
The--Captain earned 500 total points
ID: 16875818
When you tell ethereal to only look for SYN packets, if you see more than one every second or so then you might be getting scanned, at least.

Look at the source IP of the packets - is it generally the same?  If so, it's likely a single idiot that you might be able to track down or at least complain to his local ISP.  If not, then it might be a scan or attack, but if it were an attack you would expect to see quite a few packets per second, not just one or two, so maybe you just have an IP that used to be assigned to a popular (or even remotely popular) site, and people are still trying to reach it on the outdated IP (yours).

Are these packets SYN, or SYN/ACK?  If they're SYN/ACK, then you may have a local machine that is infected and the SYN/ACKs could be a response to scans originating from the infected machine.

There are plenty of possibilities here - the better you can describe what you are seeing, the more specific I likely can be.

Cheers,
-Jon
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question