Solved

What is the best way to stop flood attacks on a network?  SYN, FIN, RST.

Posted on 2007-04-05
2
2,548 Views
Last Modified: 2007-12-19
Hello,

We have isolated a flood attack to somewhere in our high school.  We did this by unplugging the fiber that connects their building to ours.  

What's happens is our router becomes very bogged down due to something sending packets to it like crazy.  We have a Sonic Wall 5060 and we're licensed for Intrusion Prevention, Content Filtering, Gateway Antivirus, Anti-Spam... pretty much everything.

However the Sonic Wall will report SYN Floods and FIN Floods happening.  Our 3COM 5012 router becomes very slow and the entire network's internet access speed drops to around a 56modem or none at all.

I have Wire Shark and setup a Mirrored port on our router and took some logs from that, and we know some machines that we could scan for viriuses, but I wondered if anybody else has dealt with this and implemented some kind of solution other than just hunting down the machines and cleaning them.  Which we will do, but I wish there were some setting on the switches or router that we could turn on to at least keep the network and internet speed somewhat reasonable and usable.  We've already lost 2 days worth of internet based work.

Also if anyone has actually hired a company to come in and do this kind of work, please relay that information as well...

Thanks,

M.
0
Comment
Question by:diablo-26
2 Comments
 
LVL 4

Accepted Solution

by:
AndrewCink earned 500 total points
ID: 18862659
I can think of some options.

1) Check the logs on the sonicwall and see what IP is sourcing the floods, then go find that machine and check it out
2) Internal firewalls. Put a firewall between critical fiber links or network areas to stop a flood from inside your network being propagated to all segments
3) Invest in a quality IPS/IDS. 3com makes a device called a TippingPoint which can scan your internal network for attacks and will block those devices that are generating them.

The best solution in my mind is of course the tipping point, but they are expensive and you will need potentially multiple interfaces to monitor and protect different subnets from attacks. In terms of your problem now, it would make it a moot point however.

The cheapest solution is to use either your firewall logs, a packet sniffer, or whatever device and look at the traffic, see what IP is sourcing it, and then find those devices and pull them off your network until you can clean them.
0
 

Author Comment

by:diablo-26
ID: 18863194
Andrew,

Thanks, you know I just found that Tipping point site yesterday and sent them an e-mail for more information...  Do you know how much they cost?   Last year we paid $10,000.00 for this Sonic Wall 5060 and I thought it would do the trick for this type of stuff, but apparently it's not.  

Soon as I plug the high school fiber back in, the pings on the router go from 1ms to 900ms, very sporadic...  

I think I'll do both, I'll try and pull the machines off and clean or reformat them and also check into that tipping point equipment.

Thanks!

Matt
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now