Solved

What is the best way to stop flood attacks on a network?  SYN, FIN, RST.

Posted on 2007-04-05
2
2,551 Views
Last Modified: 2007-12-19
Hello,

We have isolated a flood attack to somewhere in our high school.  We did this by unplugging the fiber that connects their building to ours.  

What's happens is our router becomes very bogged down due to something sending packets to it like crazy.  We have a Sonic Wall 5060 and we're licensed for Intrusion Prevention, Content Filtering, Gateway Antivirus, Anti-Spam... pretty much everything.

However the Sonic Wall will report SYN Floods and FIN Floods happening.  Our 3COM 5012 router becomes very slow and the entire network's internet access speed drops to around a 56modem or none at all.

I have Wire Shark and setup a Mirrored port on our router and took some logs from that, and we know some machines that we could scan for viriuses, but I wondered if anybody else has dealt with this and implemented some kind of solution other than just hunting down the machines and cleaning them.  Which we will do, but I wish there were some setting on the switches or router that we could turn on to at least keep the network and internet speed somewhat reasonable and usable.  We've already lost 2 days worth of internet based work.

Also if anyone has actually hired a company to come in and do this kind of work, please relay that information as well...

Thanks,

M.
0
Comment
Question by:diablo-26
2 Comments
 
LVL 4

Accepted Solution

by:
AndrewCink earned 500 total points
ID: 18862659
I can think of some options.

1) Check the logs on the sonicwall and see what IP is sourcing the floods, then go find that machine and check it out
2) Internal firewalls. Put a firewall between critical fiber links or network areas to stop a flood from inside your network being propagated to all segments
3) Invest in a quality IPS/IDS. 3com makes a device called a TippingPoint which can scan your internal network for attacks and will block those devices that are generating them.

The best solution in my mind is of course the tipping point, but they are expensive and you will need potentially multiple interfaces to monitor and protect different subnets from attacks. In terms of your problem now, it would make it a moot point however.

The cheapest solution is to use either your firewall logs, a packet sniffer, or whatever device and look at the traffic, see what IP is sourcing it, and then find those devices and pull them off your network until you can clean them.
0
 

Author Comment

by:diablo-26
ID: 18863194
Andrew,

Thanks, you know I just found that Tipping point site yesterday and sent them an e-mail for more information...  Do you know how much they cost?   Last year we paid $10,000.00 for this Sonic Wall 5060 and I thought it would do the trick for this type of stuff, but apparently it's not.  

Soon as I plug the high school fiber back in, the pings on the router go from 1ms to 900ms, very sporadic...  

I think I'll do both, I'll try and pull the machines off and clean or reformat them and also check into that tipping point equipment.

Thanks!

Matt
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
As a business owner, there are many things that keep you up at night. Profit margins, employee retention, human resource protocols, whether your product or service will remain competitive. When you own or manage a technology company that operates la…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question