What is the best way to stop flood attacks on a network? SYN, FIN, RST.

Hello,

We have isolated a flood attack to somewhere in our high school.  We did this by unplugging the fiber that connects their building to ours.  

What's happens is our router becomes very bogged down due to something sending packets to it like crazy.  We have a Sonic Wall 5060 and we're licensed for Intrusion Prevention, Content Filtering, Gateway Antivirus, Anti-Spam... pretty much everything.

However the Sonic Wall will report SYN Floods and FIN Floods happening.  Our 3COM 5012 router becomes very slow and the entire network's internet access speed drops to around a 56modem or none at all.

I have Wire Shark and setup a Mirrored port on our router and took some logs from that, and we know some machines that we could scan for viriuses, but I wondered if anybody else has dealt with this and implemented some kind of solution other than just hunting down the machines and cleaning them.  Which we will do, but I wish there were some setting on the switches or router that we could turn on to at least keep the network and internet speed somewhat reasonable and usable.  We've already lost 2 days worth of internet based work.

Also if anyone has actually hired a company to come in and do this kind of work, please relay that information as well...

Thanks,

M.
diablo-26Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AndrewCinkCommented:
I can think of some options.

1) Check the logs on the sonicwall and see what IP is sourcing the floods, then go find that machine and check it out
2) Internal firewalls. Put a firewall between critical fiber links or network areas to stop a flood from inside your network being propagated to all segments
3) Invest in a quality IPS/IDS. 3com makes a device called a TippingPoint which can scan your internal network for attacks and will block those devices that are generating them.

The best solution in my mind is of course the tipping point, but they are expensive and you will need potentially multiple interfaces to monitor and protect different subnets from attacks. In terms of your problem now, it would make it a moot point however.

The cheapest solution is to use either your firewall logs, a packet sniffer, or whatever device and look at the traffic, see what IP is sourcing it, and then find those devices and pull them off your network until you can clean them.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
diablo-26Author Commented:
Andrew,

Thanks, you know I just found that Tipping point site yesterday and sent them an e-mail for more information...  Do you know how much they cost?   Last year we paid $10,000.00 for this Sonic Wall 5060 and I thought it would do the trick for this type of stuff, but apparently it's not.  

Soon as I plug the high school fiber back in, the pings on the router go from 1ms to 900ms, very sporadic...  

I think I'll do both, I'll try and pull the machines off and clean or reformat them and also check into that tipping point equipment.

Thanks!

Matt
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.