Somebody trying to attack our network

over the last week we have noticed alot of TCP FIN scans and IP spoofing attempts occurring.  this has never happened as much before in the last 4 years ive worked at this company.

Our firewall logs show these attempts happening every 5-10 minutes and then it will stop for a few hours and it starts again each time causing a DOS (denial of service) attack as our internet connection goes down. (i think this is due to the firewall restarting itself to prevent further attacks tho)

The logs show us the IP address and MAC address of the person and ive added these to the blocked list.  I have also done a whois on these IP addresses and they come back been in the US and Netherlands, however one of them came back to be in the UK.

we use a 3Com Superstack 3 Firewall, Firmware version: 6.3.3.1.

the firewall is setup to protect from the following attacks: Syn flood, Ping of death, IP Spoofing, Land attack, Smurf amplification, sequence number prediction.  Stealth Mode is also enabled

Looking for some help as im not an expert in security.
LVL 16
ellandrdAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

neos2k1Commented:
You could set up a policy not to accept any packets FIN packets if they don't have SYN/ACK sessions.
You have to install a sniffer to see what traffic is coming to you based on that you may be able to create some policies. Your ISP may be able to help you.
 If they are dDOS-ing you really hard is not much that you could do to be honest.
0
David-HowardCommented:
Elland,
This link provides some information on DOS.
http://www.onlamp.com/pub/a/bsd/2004/06/24/anti_dos.html
If you have hardened your network and are taking the appropriate security measures you may need to report the DOS originator.
You can do that here.
Report Hacking and other crimes.
http://www.cybercrime.gov/reporting.htm
David
0
jahboiteCommented:
I'd say that you need to analyse the logs more and try to find out why the firewall is shutting down.  It isn't doing this to protect from further attacks!  It could be that the firewall is being overwhelmed with connections  for which it is performing stateful packet filtering and then running out of resources to continue doing so.  SYN or Connect scanning might do this because your firewall will monitor the connections to ensure there is a transfer of data, only dropping the connection if no data is present.  This would require a huge (possibly thousands) of connections per second.  The FIN scans are unlikely cause a DoS condition unless enough are sent to max your available bandwidth (again thousands) because in stealth mode, the firewall will not respond, nor maintain their state.
It may be that there is a service available to the outside which is vulnerable to some DoS condition.
It may be something simple as not being able to clear the logs fast enough (not able to send logs by email) in conjunction with 3COMs option to shutdown when it can't write to the logs.
The Smurf Attack could be a candidate because your firewall will only stop itself being used to amplify an attack against someone else.  It seems it can't prevent a flood of ICMP replies coming from an amplifier or amplifiers.

You might want to get hold of a good network scanner (nmap from http://www.nmap.org/download is a very good choice) and determine what tcp and udp ports are open/closed/firewalled by scanning from outside your network perimeter.  You could also use it's most aggressive scan timing-wise (nmap -SUVC -p1-65535 -O -T5 <target>) to see if you can overwhelm the firewall and cause it to reboot.
You might also want to get hold of nessus from nessus.org and run that against your external interface(s) to find any vulnerable services.  Using nessus aggressively is another method by which you could test the ability of the firewall to cope with heavy probing.

If you've got services available to the outside, you might consider limiting the IP addresses from which connections can be made to them.

Let us know how you get on...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

jahboiteCommented:
Hi ellandrd!  I'd love to know how you got on...
Thanks for the points and the grade!
0
ellandrdAuthor Commented:
ya kinda confusing and weird issue in the end, but our internet keep crashing due to a rogue DNS entry on our server.  

Our server here in the UK is connected to another server in Houston via a VPN.  The Houston server somehow managed to get a virus or robot that caused the Houston servers DNS entires to replicate over to our UK server.  

Because both servers use different IP ranges, the DNS entries from the Houston server messed up or servers DNS entries resulting in the internet going down.  We took down the VPN and it all stopped.  Our IT dept in the Houston then took over the issue...

The TCP/FYN attack that we were getting are stilling happening so we have contacted our ISP here in the UK and they are still investigating....
0
jahboiteCommented:
Weird, but very interesting nonetheless and very useful as a demonstration of just how wrong I was about the cause of your internet dropping issue!
Thanks for the info and, if you fancy it, I'm sure it will interest many to have a brief synopsis of the FIN attacks when your ISP reports its findings.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.