-
SYN Attack on Server
Hi gals / guys
An urgent and most important issue...... At our warehouse we have a network with Real IP on which SQL server is running and being accessed...... With internal users of around 20 nodes..... WIndows 2003 with ISA 2004 running as Proxy...... in the even log i am contineously seeing that the network getting SYN attack ISA will try to prevent and after every 2 mins i am seeing this.....
I need two things here: -
How can i configure the ISA to prevent this?
How can i know which IP attacking my network?
Awaiting help from you folks.
-
How can i configure the ISA to prevent this?
Set the TCP SYN flood reg key. See here:
http://www.securityfocus.com/infocus/1729
How can i know which IP attacking my network?
First stop, the log files. If it's an attack from inside your network, you'll see the IP address or the IP of the NAT device(s) in the path. Second stop, a sniffer on the local machine to see exactly what is happening. This can give you a good idea of where to concentrate your search. Third stop, a spanning port on the NAT devices (or behind them) to continue your search. If you don't see that the traffic is internal, head up to your perimeter firewall and look at the logs. From there, keep moving upstream if need be.
--TH13