We help IT Professionals succeed at work.

Intrusion Prevention -       Possible SYN Flood

dunersbsquad
dunersbsquad asked
on
8,217 Views
Last Modified: 2012-06-21
I'm getting tons of these messages in my SonicWall log.  ntrusion Prevention -       Possible SYN Flood.

The source is from various IP's on my network.  But I don't see anything abnormal on the machines.  What could this be and how would I trace it down.

Thanks,
Comment
Watch Question

The reason you don't see any problems in your internal network is because the Sonicwall is taking the hit and is doing its job. If the 'action' defined in sonicwall is to prevent sync-flood is to block it then you are good. Nothing else can be done to prevent it but firewall will take care of it.

Read the link as well;

http://rsivanandan.wordpress.com/2006/11/24/how-does-firewall-prevent-dosddos-attacks/

Cheers,
Rajesh
The sonicwall is blocking possible denial of service attacks, some may be false positives: your intrision prevention service is detecting possible problems so it drops the connection and logs it.

You can set the log to different levels such as in the sonicwall on  Log > Categories page set to critical, the intrusion detection service will still keep blocking it just wont show in the logs. there is 8 different levels of logging

Firewall > TCP Settings page there is layer 2 and layer 3 SYN Flood Protection settings

Author

Commented:
The messages are coming from Internal IP's.  If I just simply reboot the PC I stop getting messages from that IP.  I'm just not sure what could be running internally to generate that.
have you check for virus', spyware, ect on that computer that you are rebooting?,
Is it coming from different internal machines or a single machine ?

Can you post a snippet of log here that you see ?

Cheers,
Rajesh

Author

Commented:
I've done virus, spyware checks and not coming up with anything.  Since I rebooted the systems all traffic has stopped and i'm no longer getting the messages in my log.

But here is a example of my log from yesterday.

01/22/2007 09:10:49.240 - Alert - Intrusion Prevention -       Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 229/sec has ceased                   -        -       
01/22/2007 09:10:50.176 - Alert - Intrusion Prevention -       Possible SYN Flood on IF X0 - src: 10.0.3.106:4757 dst: 212.116.158.220:139                   -        -       
01/22/2007 09:10:52.304 - Alert - Intrusion Prevention -       Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 263/sec has ceased                   -        -       
01/22/2007 09:10:54.208 - Alert - Intrusion Prevention -       Possible SYN Flood on IF X0 - src: 10.0.0.70:2941 dst: 62.203.10.179:139                   -        -       
01/22/2007 09:10:56.368 - Alert - Intrusion Prevention -       Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 257/sec has ceased                   -        -       
01/22/2007 09:10:57.240 - Alert - Intrusion Prevention -       Possible SYN Flood on IF X0 - src: 10.0.1.21:2153 dst: 212.11.134.212:5900                   -        -       
01/22/2007 09:10:59.432 - Alert - Intrusion Prevention -       Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 264/sec has ceased                   -        -       
01/22/2007 09:11:01.304 - Alert - Intrusion Prevention -       Possible SYN Flood on IF X0 - src: 10.0.1.116:3774 dst: 212.240.218.81:5900                   -        -       
01/22/2007 09:11:02.496 - Alert - Intrusion Prevention -       Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 298/sec has ceased                   -        -       
01/22/2007 09:11:04.352 - Alert - Intrusion Prevention -       Possible SYN Flood on IF X0 - src: 10.0.3.24:2833 dst: 212.139.22.121:5900                   -        -       
01/22/2007 09:11:05.544 - Alert - Intrusion Prevention -       Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 283/sec has ceased                   -        -       
01/22/2007 09:11:08.448 - Alert - Intrusion Prevention -       Possible SYN Flood on IF X0 - src: 10.0.1.116:3889 dst: 212.26.127.8:5900                   -        -       
01/22/2007 09:11:09.608 - Alert - Intrusion Prevention -       Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 285/sec has ceased                   -        -       
01/22/2007 09:11:11.448 - Alert - Intrusion Prevention -       Possible SYN Flood on IF X0 - src: 10.0.3.24:3040 dst:
I would try to take one of the machines in question and scan it for spyware/virii etc . Have you done that already ?

Cheers,
Rajesh

Author

Commented:
I've run our Corporate Symantec with latest updates and our Corporate SpySweeper with latest updates and nothing.  Its very strange.
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I looked right over that.  It makes a little more sense now.  We just started deploying VNC to some of our workstations.

Thanks,
Also remember the fact that more and more vnc exploits are coming up now!

thnx for the points.

Cheers,
Rajesh

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.