Protect network from SYN Flood and other types of attacks

hi
every so often we have a client's network get killed because a few PC's get infected with malware. these generally flood the network with traffic, bringing internet essentially to a halt. we usually find the culprits through either the AV console (the culprits don't have AV... problem) or our firewall logs.

however sometimes it's not that simple. For example, today, our Sonicwall (192.168.9.2)was reporting the SYN Flood traffic coming from the IP/MAC address of our HP Core Switch (192.168.9.1). That switch has a 192.168.X.1 IP for each of the 4 other subnets, does all the routing between networks, etc.

What i want to know is if there's any way to catch/block this traffic before it totally floods my network (to a point that even the users not infected were affected).

We run all HP managed switches (2800 series mostly) - is there any way to configure them to take action when a particular port has suspicious activity? Either lock down the port, fire off an alert, etc? Or alert us about a MAC address that's problematic (we can trace MAC to the computer/user)?

thanks in advance for any help you can provide.
LVL 2
tabushAsked:
Who is Participating?
 
parparovCommented:
SYN cookies are a way to battle SYN_FLOOD. Check if your 2800s support this setting.
0
 
eeRootCommented:
You can use storm control, as well as limiting the speed on the individual PC ports.  You may want to look into an IPS/IDS system (snort is free http://www.snort.org/)
0
 
tabushAuthor Commented:
thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.