What is the best way to stop flood attacks on a network? SYN, FIN, RST.
Posted on 2007-04-05
We have isolated a flood attack to somewhere in our high school. We did this by unplugging the fiber that connects their building to ours.
What's happens is our router becomes very bogged down due to something sending packets to it like crazy. We have a Sonic Wall 5060 and we're licensed for Intrusion Prevention, Content Filtering, Gateway Antivirus, Anti-Spam... pretty much everything.
However the Sonic Wall will report SYN Floods and FIN Floods happening. Our 3COM 5012 router becomes very slow and the entire network's internet access speed drops to around a 56modem or none at all.
I have Wire Shark and setup a Mirrored port on our router and took some logs from that, and we know some machines that we could scan for viriuses, but I wondered if anybody else has dealt with this and implemented some kind of solution other than just hunting down the machines and cleaning them. Which we will do, but I wish there were some setting on the switches or router that we could turn on to at least keep the network and internet speed somewhat reasonable and usable. We've already lost 2 days worth of internet based work.
Also if anyone has actually hired a company to come in and do this kind of work, please relay that information as well...