How should I handle this FIN Flood attack that my SonicWall is reporting

I'm trying to understand what might be happening with this log.  Are machines 192.168.1.152 and 192.168.1.253 compromised or is there something else going on?  192.168.1.253 is our Exchange 2010 Server...we are experiencing disconnects from the Outlook users on the network that are only resolved if they reboot.  I've already run a full scan with antivirus and Malwarebytes on the server - what else should be done to make sure there is nothing rogue on the machine?  Is the SonicWall just alerting us or is it actually blocking the "attack"?  

Machine 192.168.1.152 is a MacBook...we have that machine turned off for now.

Here is the log:

0006-B13B-0234 Log (part 3) dumped to email at 2011-04-06 12:52:08
04/06/2011 12:48:55.416 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:c2: e:e5:a7 with FIN rate of 369/sec has
ceased    -   -
04/06/2011 12:48:56.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.152:58139 dst: 64.60.131.215:443    -   -
04/06/2011 12:48:57.448 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:c2: e:e5:a7 with FIN rate of 357/sec has
ceased    -   -
04/06/2011 12:48:58.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.152:58850 dst: 64.60.131.215:443    -   -
04/06/2011 12:48:59.480 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:c2: e:e5:a7 with FIN rate of 316/sec has
ceased    -   -
04/06/2011 12:49:00.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.152:59505 dst: 64.60.131.215:443    -   -
04/06/2011 12:49:01.560 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:c2: e:e5:a7 with FIN rate of 355/sec has
ceased    -   -
04/06/2011 12:49:12.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:24578    -   -
04/06/2011 12:49:12.384 - Warning - Intrusion Prevention -  Possible FIN Flood on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:2041 - rate:
357/sec continues    -   -
04/06/2011 12:49:13.400 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:9b:a6:5b:94 with FIN rate of 354/sec has
ceased    -   -
04/06/2011 12:49:14.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:20207    -   -
04/06/2011 12:49:15.432 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:9b:a6:5b:94 with FIN rate of 268/sec has
ceased    -   -
04/06/2011 12:49:16.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:11289    -   -
04/06/2011 12:49:17.464 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:9b:a6:5b:94 with FIN rate of 427/sec has
ceased    -   -
04/06/2011 12:49:18.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:5597    -   -
04/06/2011 12:49:19.496 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:9b:a6:5b:94 with FIN rate of 393/sec has
ceased    -   -
04/06/2011 12:49:20.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:29969    -   -
04/06/2011 12:49:21.528 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:9b:a6:5b:94 with FIN rate of 340/sec has
ceased    -   -
04/06/2011 12:49:22.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:8943    -   -
04/06/2011 12:49:23.560 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:9b:a6:5b:94 with FIN rate of 301/sec has
ceased    -   -
04/06/2011 12:49:24.384 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:2220    -   -
04/06/2011 12:49:24.576 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:9b:a6:5b:94 with FIN rate of 377/sec has
ceased    -   -
04/06/2011 12:49:26.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:7535    -   -
04/06/2011 12:49:26.608 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:9b:a6:5b:94 with FIN rate of 406/sec has
ceased    -   -
04/06/2011 12:49:32.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:18922    -   -
04/06/2011 12:49:33.720 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:9b:a6:5b:94 with FIN rate of 353/sec has
ceased    -   -
04/06/2011 12:49:46.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.152:59756 dst: 64.60.131.215:443    -   -
04/06/2011 12:49:47.416 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:c2: e:e5:a7 with FIN rate of 408/sec has
ceased    -   -
04/06/2011 12:49:48.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.152:60555 dst: 64.60.131.215:443    -   -
04/06/2011 12:49:49.448 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:c2: e:e5:a7 with FIN rate of 333/sec has
ceased    -   -
04/06/2011 12:49:50.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.152:61266 dst: 64.60.131.215:443    -   -
04/06/2011 12:49:51.480 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:c2: e:e5:a7 with FIN rate of 379/sec has
ceased    -   -
04/06/2011 12:49:52.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.152:62071 dst: 64.60.131.215:443    -   -
04/06/2011 12:49:53.512 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:c2: e:e5:a7 with FIN rate of 405/sec has
ceased    -   -
04/06/2011 12:49:54.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.152:62854 dst: 64.60.131.215:443    -   -
04/06/2011 12:49:55.544 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:c2: e:e5:a7 with FIN rate of 382/sec has
ceased    -   -
04/06/2011 12:49:58.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.152:64423 dst: 64.60.131.215:443    -   -
04/06/2011 12:49:58.640 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:c2: e:e5:a7 with FIN rate of 402/sec has
ceased    -   -
04/06/2011 12:50:12.368 - Warning - Intrusion Prevention -  Possible FIN Flood on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:47342 - rate:
355/sec continues    -   -
04/06/2011 12:50:14.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:21799    -   -
04/06/2011 12:50:15.416 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:9b:a6:5b:94 with FIN rate of 399/sec has
ceased    -   -
04/06/2011 12:50:16.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:26913    -   -
04/06/2011 12:50:17.448 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:9b:a6:5b:94 with FIN rate of 427/sec has
ceased    -   -
04/06/2011 12:50:18.384 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:40382    -   -
04/06/2011 12:50:19.480 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:9b:a6:5b:94 with FIN rate of 349/sec has
ceased    -   -
04/06/2011 12:50:20.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:61660    -   -
04/06/2011 12:50:21.512 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:9b:a6:5b:94 with FIN rate of 395/sec has
ceased    -   -
04/06/2011 12:50:22.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:48606    -   -
04/06/2011 12:50:23.544 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:9b:a6:5b:94 with FIN rate of 319/sec has
ceased    -   -
04/06/2011 12:50:26.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:40860    -   -
04/06/2011 12:50:27.608 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:9b:a6:5b:94 with FIN rate of 429/sec has
ceased    -   -
04/06/2011 12:50:28.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:18394    -   -
04/06/2011 12:50:29.640 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:9b:a6:5b:94 with FIN rate of 384/sec has
ceased    -   -
04/06/2011 12:50:38.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.152:63065 dst: 64.60.131.215:443    -   -
04/06/2011 12:50:39.416 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:c2: e:e5:a7 with FIN rate of 302/sec has
ceased    -   -
04/06/2011 12:50:40.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.152:63707 dst: 64.60.131.215:443    -   -
04/06/2011 12:50:41.448 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:c2: e:e5:a7 with FIN rate of 321/sec has
ceased    -   -
04/06/2011 12:50:42.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.152:64392 dst: 64.60.131.215:443    -   -
04/06/2011 12:50:43.480 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:c2: e:e5:a7 with FIN rate of 393/sec has
ceased    -   -
04/06/2011 12:50:44.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.152:65160 dst: 64.60.131.215:443    -   -
04/06/2011 12:50:45.512 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:c2: e:e5:a7 with FIN rate of 400/sec has
ceased    -   -
04/06/2011 12:50:46.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.152:49528 dst: 64.60.131.215:443    -   -
04/06/2011 12:50:47.544 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:c2: e:e5:a7 with FIN rate of 383/sec has
ceased    -   -
04/06/2011 12:50:48.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.152:50292 dst: 64.60.131.215:443    -   -
04/06/2011 12:50:49.576 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:c2: e:e5:a7 with FIN rate of 410/sec has
ceased    -   -
04/06/2011 12:51:14.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:29882    -   -
04/06/2011 12:51:14.416 - Warning - Intrusion Prevention -  Possible FIN Flood on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:65091 - rate:
318/sec continues    -   -
04/06/2011 12:51:15.432 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:9b:a6:5b:94 with FIN rate of 294/sec has
ceased    -   -
04/06/2011 12:52:02.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.152:53194 dst: 64.60.131.215:443    -   -
04/06/2011 12:52:02.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:12277    -   -
04/06/2011 12:52:03.400 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:c2: e:e5:a7 with FIN rate of 332/sec has
ceased    -   -
04/06/2011 12:52:03.400 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:9b:a6:5b:94 with FIN rate of 330/sec has
ceased    -   -
04/06/2011 12:52:04.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.152:53904 dst: 64.60.131.215:443    -   -
04/06/2011 12:52:04.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:25640    -   -
04/06/2011 12:52:05.432 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:9b:a6:5b:94 with FIN rate of 397/sec has
ceased    -   -
04/06/2011 12:52:05.432 - Alert - Intrusion Prevention -  Possible FIN Flood on IF X0 - from machine xx:xx:c2: e:e5:a7 with FIN rate of 400/sec has
ceased    -   -
04/06/2011 12:52:06.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.152:54641 dst: 64.60.131.215:443    -   -
04/06/2011 12:52:06.368 - Alert - Intrusion Prevention -  Possible FIN Flood
on IF X0 - src: 192.168.1.253:443 dst: 64.60.131.215:1152    -   -

This email was generated by: SonicOS Enhanced 4.2.0.1-12e (0006-B13B-0234)
Nicholas CurranIndependent IT ConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

digitapCommented:
the mac address of the source on X0 are all different. seems they are all going to the same IP address of 64.60.131.215. i did reverse DNS on that and get exchange.bravenewfoundation.org:443. i'm not familiar with this website, but your internal hosts are creating several connections LAN > WAN and its generating the flood attack on your sonicwall.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Nicholas CurranIndependent IT ConsultantAuthor Commented:
It was likey a miscommunication between one laptop and the Exchange 2010 server.  It seems to be resolved now.
0
Nicholas CurranIndependent IT ConsultantAuthor Commented:
The solution failed to address some of the initial questions but was an adequate attempt.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.