Solved

Sonicwall TZ Series Enhanced OS Fin Flood on IF XO

Posted on 2014-12-24
7
2,004 Views
Last Modified: 2016-10-11
Help
My router keeps getting attacked with the these FIN FLOOD attacks, when this occurs the processor goes to nearly 96% on the resources and kills my network , goes to a crawl until I shut down and restart the router . I've turned on the Flood protection in the router with no success . How can I track down what's causing this , any advice would greatly be appreciated . I've include some logs of what the attacks look like when it happens,,,

Also even though it blacklist the MAC or IP address , its killing my resources and the router

7            12/24/2014 12:15:03.336      Info      DHCP Server      Assigned IP address 10.251.83.17 to MAC address 64:A3:CB:65:8A:5D                            
8            12/24/2014 12:15:08.736      Alert      Intrusion Prevention      Possible RST Flood on IF X0 - src: 31.13.73.152:443 dst: 10.251.83.59:48453                            
9            12/24/2014 12:15:08.768      Alert      Intrusion Prevention      RST-Flooding machine on IF X0 - xx:xx:c5:3a:3e:f4 with RST rate of 562/sec blacklisted                            
10            12/24/2014 12:15:12.800      Alert      Intrusion Prevention      Possible FIN Flood on IF X0 - src: 10.251.83.83:51207 dst: 184.29.185.45:443                            
11            12/24/2014 12:15:12.864      Alert      Intrusion Prevention      Machine on IF X0 - xx:xx:c5:3a:3e:f4 removed from RST flood blacklist                            
12            12/24/2014 12:15:14.208      Warning      Intrusion Prevention      Possible FIN Flood on IF X0 - src: 10.251.83.83:52292 dst: 66.150.48.50:80 - rate: 417/sec continues                            
13            12/24/2014 12:15:16.256      Alert      Intrusion Prevention      Possible FIN Flood on IF X0 - from machine xx:xx:7e:f7:14:c6 with FIN rate of 6/sec has ceased                            
14            12/24/2014 12:15:37.880      Notice      Network Access      TCP connection dropped      108.162.232.200, 80, X1      10.251.83.242, 32367, X0      TCP Port: 32367      
15            12/24/2014 12:15:53.224      Debug      Network Access      HTTP method detected; examining stream for host header      10.251.83.83, 51595, X0      54.243.179.24, 80, X1      TCP HTTP      
16            12/24/2014 12:16:01.896      Notice      Network Access      UDP packet dropped      10.220.17.181, 58679, X0      8.8.8.8, 53, X1      UDP DNS (Name Service) UDP      5 (LAN->WAN)
17            12/24/2014 12:16:17.384      Info      DHCP Server      Assigned IP address 10.251.83.16 to MAC address FC:C2:DE:29:40:EE                            
18            12/24/2014 12:16:25.928      Notice      Network Access      Web management request allowed      10.251.83.99, 61344, X0      10.251.83.248, 800, X0      TCP HTTP Management       
19            12/24/2014 12:16:32.528      Info      Authenticated Access      Administrator login allowed      10.251.83.99, 0, X0 (admin)      10.251.83.248, 800, X0      admin, TCP HTTP Management       
20            12/24/2014 12:16:32.528      Info      Authenticated Access      Configuration mode administration session started      10.251.83.99, 0, X0 (admin)      10.251.83.248, 800, X0      admin at GUI from 10.251.83.99       
21            12/24/2014 12:16:51.752      Notice      Network Access      TCP connection dropped      54.239.172.58, 80, X1      10.251.83.38, 50972, X0      TCP RPC Services (IANA)
0
Comment
Question by:tonyg01
  • 3
  • 3
7 Comments
 
LVL 61

Expert Comment

by:btan
ID: 40517544
This is similar as stated in the sonicwall kb and the src coming from IP 31.13.73.152 via port 443 and IP 10.251.83.83 via port 52292 is triggering the flooding alert . Looks like the former is external and the latter is coming from internal. https://support.software.dell.com/kb/sw8777

- For the external, best to take it up with ISP to kill off as the src IP can be randomised and blacklisting is not of much help
- For the internal, do check out the actual client sending this and perform the security scan and ask the user on any anomalies experience in recent use or installation done to the machine. It is to make sure malware (running in the 'compromised' machine) is not causing this flood. Also concurrently, the kb shared using Packet monitor to further export traffic from packet capture to analyse offline the potential "app" causing this trigger...

Also Sonicwall has TCP setting to further mitigate the flood e.g.
http://help.mysonicwall.com/sw/eng/901/ui2/23100/Firewall/TCP_Settings.htm
- via Default TCP Connection Timeout
Setting excessively long connection timeouts will slow the reclamation of stale resources, and in extreme cases could lead to exhaustion of the connection cache.
- via Maximum Segment Lifetime (seconds)
Determines the number of seconds that any TCP packet is valid before it expires.
May want to reduce it gradually for the time wait state but need to be careful in the adjustment as not to falsely deny legit traffic
0
 

Author Comment

by:tonyg01
ID: 40517658
What bothers me is the src in most of these cases are my internal LAN IPs calling out , and the IP address's are randomized . I see the one you are referring to but ..

Any thoughts on a good product to run on the Clients to see if they are the issue ? Its really killing my network when this occurs, and it seems to be around the same time of day as well , not sure what time has to do with it , but is usually happens within 30 mins of 11 am and 5 pm eastern time.

By the way their are nearly 200+ Client's on this one portion of the network ....

Thank you for your input, and I await your reply !
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40518069
likely the randomised IP can also be due to dhcp assigned to the client machine, do check out the dhcp server on the machine and I do see that there is likely commonality coming from certain subnet or segment vlan. For the time of the surge traffic, that can be a commonality among the affected machine. If this surge is never experience such as peak period like office hours and fall within the non-peak then it does raise to find out why so. However, if this is short stint of surge and random in various period, likely those affected machine is having changes ongoing. Nonetheless, key is now to isolate the affected zone (if poss),  confirm the breach on the affected machine and quickly contain the damages (using perimeter FW or proxy to block) if deem they are compromised.

Tap on the existing enterprise AV mgmt (unless you are having standalone version instead of enterprise)to check out any surfaced anomalies or alerts from the endpoint. Like symantec AV has SEPM at a domain level for oversight check. Also if possible capture the raw packet of one instance of the surge to find out the potential root cause as i stated in my prev post. We need to have some leads to move on

Start engaging the IT and Ops department to assist, it is going to be a long process but you have to start off with a few machine. If there are some common app in the machine causing this surge then it is to find out more from the actual user...it can be already be running for quite some time, hopefully not some false negative.

ideally to automate, pushing out endpoint forensic savvy agent is best to ascertain the compromise state and sieve out the anomalies and associated indicator of compromise. This can be quite steep in budget wallet. Taking the cost aside, some potential candidate include encase enterprise, accessdata (silentrunner sentinel) and rsa ecat and engage them for trial etc as start off.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:tonyg01
ID: 40518447
Ok, WOW I know I have a couple PC's I'm thinking that are causing the issue. I think and feel based on what I'm seeing these couple of bad actors are causing the majority of the issue, I was really just looking for a product that I can sit down at each station do a quick scan to see if they are infected to isolate the Machines quickly, while its seems like a lot of work I'm certainly willing to get it done, a little sweat equity as opposed to paying $$$ for Network scanning software.

The other thing that convinces me that their are only a couple, is the timing issue. When the department or Subnet these PCs are on is  closed the issue is gone, I suspect the PC's causing the issue are off, when they arrive for work , ie 11:00 am they start ...

Thank you for your comments and thoughts, very informative
0
 

Author Closing Comment

by:tonyg01
ID: 40518448
Solution offered was very good, looking for something a little less intense ,,,
0
 
LVL 61

Expert Comment

by:btan
ID: 40518455
Thanks for sharing, simply the AV and FW alert check will suffice using latest patch (assuming the machine done it diligent update which can be lacking for mobile users). If the threats are of significant sophistication, I doubtful a simplistic analysis suffice. There are forensic based or supporting tools to sieve out indicator of compromise like use of process explorer
0
 

Expert Comment

by:Sophia Argon
ID: 41837980
My children were searching for SSA HA-520-U5 last month and located a document management site that has a lot of sample forms . If you need to fill out SSA HA-520-U5 too , here's <code>https://goo.gl/FF0tZ3</code>
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now