Sonicwall TZ Series Enhanced OS Fin Flood on IF XO

My router keeps getting attacked with the these FIN FLOOD attacks, when this occurs the processor goes to nearly 96% on the resources and kills my network , goes to a crawl until I shut down and restart the router . I've turned on the Flood protection in the router with no success . How can I track down what's causing this , any advice would greatly be appreciated . I've include some logs of what the attacks look like when it happens,,,

Also even though it blacklist the MAC or IP address , its killing my resources and the router

7            12/24/2014 12:15:03.336      Info      DHCP Server      Assigned IP address to MAC address 64:A3:CB:65:8A:5D                            
8            12/24/2014 12:15:08.736      Alert      Intrusion Prevention      Possible RST Flood on IF X0 - src: dst:                            
9            12/24/2014 12:15:08.768      Alert      Intrusion Prevention      RST-Flooding machine on IF X0 - xx:xx:c5:3a:3e:f4 with RST rate of 562/sec blacklisted                            
10            12/24/2014 12:15:12.800      Alert      Intrusion Prevention      Possible FIN Flood on IF X0 - src: dst:                            
11            12/24/2014 12:15:12.864      Alert      Intrusion Prevention      Machine on IF X0 - xx:xx:c5:3a:3e:f4 removed from RST flood blacklist                            
12            12/24/2014 12:15:14.208      Warning      Intrusion Prevention      Possible FIN Flood on IF X0 - src: dst: - rate: 417/sec continues                            
13            12/24/2014 12:15:16.256      Alert      Intrusion Prevention      Possible FIN Flood on IF X0 - from machine xx:xx:7e:f7:14:c6 with FIN rate of 6/sec has ceased                            
14            12/24/2014 12:15:37.880      Notice      Network Access      TCP connection dropped, 80, X1, 32367, X0      TCP Port: 32367      
15            12/24/2014 12:15:53.224      Debug      Network Access      HTTP method detected; examining stream for host header, 51595, X0, 80, X1      TCP HTTP      
16            12/24/2014 12:16:01.896      Notice      Network Access      UDP packet dropped, 58679, X0, 53, X1      UDP DNS (Name Service) UDP      5 (LAN->WAN)
17            12/24/2014 12:16:17.384      Info      DHCP Server      Assigned IP address to MAC address FC:C2:DE:29:40:EE                            
18            12/24/2014 12:16:25.928      Notice      Network Access      Web management request allowed, 61344, X0, 800, X0      TCP HTTP Management       
19            12/24/2014 12:16:32.528      Info      Authenticated Access      Administrator login allowed, 0, X0 (admin), 800, X0      admin, TCP HTTP Management       
20            12/24/2014 12:16:32.528      Info      Authenticated Access      Configuration mode administration session started, 0, X0 (admin), 800, X0      admin at GUI from       
21            12/24/2014 12:16:51.752      Notice      Network Access      TCP connection dropped, 80, X1, 50972, X0      TCP RPC Services (IANA)
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
This is similar as stated in the sonicwall kb and the src coming from IP via port 443 and IP via port 52292 is triggering the flooding alert . Looks like the former is external and the latter is coming from internal.

- For the external, best to take it up with ISP to kill off as the src IP can be randomised and blacklisting is not of much help
- For the internal, do check out the actual client sending this and perform the security scan and ask the user on any anomalies experience in recent use or installation done to the machine. It is to make sure malware (running in the 'compromised' machine) is not causing this flood. Also concurrently, the kb shared using Packet monitor to further export traffic from packet capture to analyse offline the potential "app" causing this trigger...

Also Sonicwall has TCP setting to further mitigate the flood e.g.
- via Default TCP Connection Timeout
Setting excessively long connection timeouts will slow the reclamation of stale resources, and in extreme cases could lead to exhaustion of the connection cache.
- via Maximum Segment Lifetime (seconds)
Determines the number of seconds that any TCP packet is valid before it expires.
May want to reduce it gradually for the time wait state but need to be careful in the adjustment as not to falsely deny legit traffic
tonyg01Author Commented:
What bothers me is the src in most of these cases are my internal LAN IPs calling out , and the IP address's are randomized . I see the one you are referring to but ..

Any thoughts on a good product to run on the Clients to see if they are the issue ? Its really killing my network when this occurs, and it seems to be around the same time of day as well , not sure what time has to do with it , but is usually happens within 30 mins of 11 am and 5 pm eastern time.

By the way their are nearly 200+ Client's on this one portion of the network ....

Thank you for your input, and I await your reply !
btanExec ConsultantCommented:
likely the randomised IP can also be due to dhcp assigned to the client machine, do check out the dhcp server on the machine and I do see that there is likely commonality coming from certain subnet or segment vlan. For the time of the surge traffic, that can be a commonality among the affected machine. If this surge is never experience such as peak period like office hours and fall within the non-peak then it does raise to find out why so. However, if this is short stint of surge and random in various period, likely those affected machine is having changes ongoing. Nonetheless, key is now to isolate the affected zone (if poss),  confirm the breach on the affected machine and quickly contain the damages (using perimeter FW or proxy to block) if deem they are compromised.

Tap on the existing enterprise AV mgmt (unless you are having standalone version instead of enterprise)to check out any surfaced anomalies or alerts from the endpoint. Like symantec AV has SEPM at a domain level for oversight check. Also if possible capture the raw packet of one instance of the surge to find out the potential root cause as i stated in my prev post. We need to have some leads to move on

Start engaging the IT and Ops department to assist, it is going to be a long process but you have to start off with a few machine. If there are some common app in the machine causing this surge then it is to find out more from the actual can be already be running for quite some time, hopefully not some false negative.

ideally to automate, pushing out endpoint forensic savvy agent is best to ascertain the compromise state and sieve out the anomalies and associated indicator of compromise. This can be quite steep in budget wallet. Taking the cost aside, some potential candidate include encase enterprise, accessdata (silentrunner sentinel) and rsa ecat and engage them for trial etc as start off.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

tonyg01Author Commented:
Ok, WOW I know I have a couple PC's I'm thinking that are causing the issue. I think and feel based on what I'm seeing these couple of bad actors are causing the majority of the issue, I was really just looking for a product that I can sit down at each station do a quick scan to see if they are infected to isolate the Machines quickly, while its seems like a lot of work I'm certainly willing to get it done, a little sweat equity as opposed to paying $$$ for Network scanning software.

The other thing that convinces me that their are only a couple, is the timing issue. When the department or Subnet these PCs are on is  closed the issue is gone, I suspect the PC's causing the issue are off, when they arrive for work , ie 11:00 am they start ...

Thank you for your comments and thoughts, very informative
tonyg01Author Commented:
Solution offered was very good, looking for something a little less intense ,,,
btanExec ConsultantCommented:
Thanks for sharing, simply the AV and FW alert check will suffice using latest patch (assuming the machine done it diligent update which can be lacking for mobile users). If the threats are of significant sophistication, I doubtful a simplistic analysis suffice. There are forensic based or supporting tools to sieve out indicator of compromise like use of process explorer
Sophia ArgonCommented:
My children were searching for SSA HA-520-U5 last month and located a document management site that has a lot of sample forms . If you need to fill out SSA HA-520-U5 too , here's <code></code>
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.