What is the best way to stop flood attacks on a network?  SYN, FIN, RST.

Posted on 2007-04-05
Medium Priority
Last Modified: 2007-12-19

We have isolated a flood attack to somewhere in our high school.  We did this by unplugging the fiber that connects their building to ours.  

What's happens is our router becomes very bogged down due to something sending packets to it like crazy.  We have a Sonic Wall 5060 and we're licensed for Intrusion Prevention, Content Filtering, Gateway Antivirus, Anti-Spam... pretty much everything.

However the Sonic Wall will report SYN Floods and FIN Floods happening.  Our 3COM 5012 router becomes very slow and the entire network's internet access speed drops to around a 56modem or none at all.

I have Wire Shark and setup a Mirrored port on our router and took some logs from that, and we know some machines that we could scan for viriuses, but I wondered if anybody else has dealt with this and implemented some kind of solution other than just hunting down the machines and cleaning them.  Which we will do, but I wish there were some setting on the switches or router that we could turn on to at least keep the network and internet speed somewhat reasonable and usable.  We've already lost 2 days worth of internet based work.

Also if anyone has actually hired a company to come in and do this kind of work, please relay that information as well...


Question by:diablo-26

Accepted Solution

AndrewCink earned 2000 total points
ID: 18862659
I can think of some options.

1) Check the logs on the sonicwall and see what IP is sourcing the floods, then go find that machine and check it out
2) Internal firewalls. Put a firewall between critical fiber links or network areas to stop a flood from inside your network being propagated to all segments
3) Invest in a quality IPS/IDS. 3com makes a device called a TippingPoint which can scan your internal network for attacks and will block those devices that are generating them.

The best solution in my mind is of course the tipping point, but they are expensive and you will need potentially multiple interfaces to monitor and protect different subnets from attacks. In terms of your problem now, it would make it a moot point however.

The cheapest solution is to use either your firewall logs, a packet sniffer, or whatever device and look at the traffic, see what IP is sourcing it, and then find those devices and pull them off your network until you can clean them.

Author Comment

ID: 18863194

Thanks, you know I just found that Tipping point site yesterday and sent them an e-mail for more information...  Do you know how much they cost?   Last year we paid $10,000.00 for this Sonic Wall 5060 and I thought it would do the trick for this type of stuff, but apparently it's not.  

Soon as I plug the high school fiber back in, the pings on the router go from 1ms to 900ms, very sporadic...  

I think I'll do both, I'll try and pull the machines off and clean or reformat them and also check into that tipping point equipment.



Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The onset of year 2018 has been a usual business for IT teams still struggling to find their way out in terms of strengthening their cloud security.
You do not need to be a security expert to make the RIGHT security. You just need some 3D guidance, to help lay out an action plan to secure your business operations. It does not happen overnight. You just need to start now and do the first thin…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question