Solved

What is the best way to stop flood attacks on a network?  SYN, FIN, RST.

Posted on 2007-04-05
2
2,557 Views
Last Modified: 2007-12-19
Hello,

We have isolated a flood attack to somewhere in our high school.  We did this by unplugging the fiber that connects their building to ours.  

What's happens is our router becomes very bogged down due to something sending packets to it like crazy.  We have a Sonic Wall 5060 and we're licensed for Intrusion Prevention, Content Filtering, Gateway Antivirus, Anti-Spam... pretty much everything.

However the Sonic Wall will report SYN Floods and FIN Floods happening.  Our 3COM 5012 router becomes very slow and the entire network's internet access speed drops to around a 56modem or none at all.

I have Wire Shark and setup a Mirrored port on our router and took some logs from that, and we know some machines that we could scan for viriuses, but I wondered if anybody else has dealt with this and implemented some kind of solution other than just hunting down the machines and cleaning them.  Which we will do, but I wish there were some setting on the switches or router that we could turn on to at least keep the network and internet speed somewhat reasonable and usable.  We've already lost 2 days worth of internet based work.

Also if anyone has actually hired a company to come in and do this kind of work, please relay that information as well...

Thanks,

M.
0
Comment
Question by:diablo-26
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 4

Accepted Solution

by:
AndrewCink earned 500 total points
ID: 18862659
I can think of some options.

1) Check the logs on the sonicwall and see what IP is sourcing the floods, then go find that machine and check it out
2) Internal firewalls. Put a firewall between critical fiber links or network areas to stop a flood from inside your network being propagated to all segments
3) Invest in a quality IPS/IDS. 3com makes a device called a TippingPoint which can scan your internal network for attacks and will block those devices that are generating them.

The best solution in my mind is of course the tipping point, but they are expensive and you will need potentially multiple interfaces to monitor and protect different subnets from attacks. In terms of your problem now, it would make it a moot point however.

The cheapest solution is to use either your firewall logs, a packet sniffer, or whatever device and look at the traffic, see what IP is sourcing it, and then find those devices and pull them off your network until you can clean them.
0
 

Author Comment

by:diablo-26
ID: 18863194
Andrew,

Thanks, you know I just found that Tipping point site yesterday and sent them an e-mail for more information...  Do you know how much they cost?   Last year we paid $10,000.00 for this Sonic Wall 5060 and I thought it would do the trick for this type of stuff, but apparently it's not.  

Soon as I plug the high school fiber back in, the pings on the router go from 1ms to 900ms, very sporadic...  

I think I'll do both, I'll try and pull the machines off and clean or reformat them and also check into that tipping point equipment.

Thanks!

Matt
0

Featured Post

Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question