dunersbsquad
asked on
Intrusion Prevention - Possible SYN Flood
I'm getting tons of these messages in my SonicWall log. ntrusion Prevention - Possible SYN Flood.
The source is from various IP's on my network. But I don't see anything abnormal on the machines. What could this be and how would I trace it down.
Thanks,
The source is from various IP's on my network. But I don't see anything abnormal on the machines. What could this be and how would I trace it down.
Thanks,
The sonicwall is blocking possible denial of service attacks, some may be false positives: your intrision prevention service is detecting possible problems so it drops the connection and logs it.
You can set the log to different levels such as in the sonicwall on Log > Categories page set to critical, the intrusion detection service will still keep blocking it just wont show in the logs. there is 8 different levels of logging
Firewall > TCP Settings page there is layer 2 and layer 3 SYN Flood Protection settings
You can set the log to different levels such as in the sonicwall on Log > Categories page set to critical, the intrusion detection service will still keep blocking it just wont show in the logs. there is 8 different levels of logging
Firewall > TCP Settings page there is layer 2 and layer 3 SYN Flood Protection settings
ASKER
The messages are coming from Internal IP's. If I just simply reboot the PC I stop getting messages from that IP. I'm just not sure what could be running internally to generate that.
have you check for virus', spyware, ect on that computer that you are rebooting?,
Is it coming from different internal machines or a single machine ?
Can you post a snippet of log here that you see ?
Cheers,
Rajesh
Can you post a snippet of log here that you see ?
Cheers,
Rajesh
ASKER
I've done virus, spyware checks and not coming up with anything. Since I rebooted the systems all traffic has stopped and i'm no longer getting the messages in my log.
But here is a example of my log from yesterday.
01/22/2007 09:10:49.240 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 229/sec has ceased - -
01/22/2007 09:10:50.176 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - src: 10.0.3.106:4757 dst: 212.116.158.220:139 - -
01/22/2007 09:10:52.304 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 263/sec has ceased - -
01/22/2007 09:10:54.208 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - src: 10.0.0.70:2941 dst: 62.203.10.179:139 - -
01/22/2007 09:10:56.368 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 257/sec has ceased - -
01/22/2007 09:10:57.240 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - src: 10.0.1.21:2153 dst: 212.11.134.212:5900 - -
01/22/2007 09:10:59.432 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 264/sec has ceased - -
01/22/2007 09:11:01.304 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - src: 10.0.1.116:3774 dst: 212.240.218.81:5900 - -
01/22/2007 09:11:02.496 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 298/sec has ceased - -
01/22/2007 09:11:04.352 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - src: 10.0.3.24:2833 dst: 212.139.22.121:5900 - -
01/22/2007 09:11:05.544 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 283/sec has ceased - -
01/22/2007 09:11:08.448 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - src: 10.0.1.116:3889 dst: 212.26.127.8:5900 - -
01/22/2007 09:11:09.608 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 285/sec has ceased - -
01/22/2007 09:11:11.448 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - src: 10.0.3.24:3040 dst:
But here is a example of my log from yesterday.
01/22/2007 09:10:49.240 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 229/sec has ceased - -
01/22/2007 09:10:50.176 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - src: 10.0.3.106:4757 dst: 212.116.158.220:139 - -
01/22/2007 09:10:52.304 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 263/sec has ceased - -
01/22/2007 09:10:54.208 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - src: 10.0.0.70:2941 dst: 62.203.10.179:139 - -
01/22/2007 09:10:56.368 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 257/sec has ceased - -
01/22/2007 09:10:57.240 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - src: 10.0.1.21:2153 dst: 212.11.134.212:5900 - -
01/22/2007 09:10:59.432 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 264/sec has ceased - -
01/22/2007 09:11:01.304 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - src: 10.0.1.116:3774 dst: 212.240.218.81:5900 - -
01/22/2007 09:11:02.496 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 298/sec has ceased - -
01/22/2007 09:11:04.352 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - src: 10.0.3.24:2833 dst: 212.139.22.121:5900 - -
01/22/2007 09:11:05.544 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 283/sec has ceased - -
01/22/2007 09:11:08.448 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - src: 10.0.1.116:3889 dst: 212.26.127.8:5900 - -
01/22/2007 09:11:09.608 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - from machine xx:xx:c3:7c:dd:21 with SYN rate of 285/sec has ceased - -
01/22/2007 09:11:11.448 - Alert - Intrusion Prevention - Possible SYN Flood on IF X0 - src: 10.0.3.24:3040 dst:
I would try to take one of the machines in question and scan it for spyware/virii etc . Have you done that already ?
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
I've run our Corporate Symantec with latest updates and our Corporate SpySweeper with latest updates and nothing. Its very strange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I looked right over that. It makes a little more sense now. We just started deploying VNC to some of our workstations.
Thanks,
Thanks,
Also remember the fact that more and more vnc exploits are coming up now!
thnx for the points.
Cheers,
Rajesh
thnx for the points.
Cheers,
Rajesh
Read the link as well;
http://rsivanandan.wordpress.com/2006/11/24/how-does-firewall-prevent-dosddos-attacks/
Cheers,
Rajesh