• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SYN Attacks but on which NIC?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Logging and Reporting >> SYN Attacks but on which NIC? Page: [1]
Login
Message << Older Topic   Newer Topic >>
SYN Attacks but on which NIC? - 5.Jan.2014 10:17:39 AM   
Jersey

 

Posts: 3
Joined: 5.Jan.2014
Status: offline
Hi Tom and others and a Happy New Year...

I have a client who has recently been suffering SYN Attacks. They are running ISA 2004 SP3 Enterprise. 'Alerts' reports "ISA Server detected a possible SYN attack and will protect the network accordingly." and I believe it is doing this when the number of half-open TCP connections hits 1,000 by default.

We would ideally like to know which network card the attacks are coming in on. We obviously suspect they are coming from the External (internet) interface but want to rule out the possibility of them coming from the internal network. ISA will report which 'Network' it suspects the attacks to be coming from but basis this solely on source IP address and as most IPs are Spoofed it will inaccurately report the network in a lot of instances. It would therefore be more useful to know which NIC it received the traffic on. I have tried adding 'Network Interface' as a column in Logging but this field is unpopulated with SYN Attack traffic... and yes, 'Log dropped packets' is enabled so the packets do appear in the logging.

Once we have confirmed the actual source of the attacks we can better investigate preventing them from hitting ISA... probably by means of increasing the protection from upstream NIP devices etc.

Also, I have found that adding the following two registry keys and amending values for them can alter ISA's sensitivity to attacks but have yet to find that doing so is officially supported. Can anyone point me toward any document in this regard?

HKLM\SYSTEM\CurrentControlSet\Services\Fweng\Parameters:

SynAttackHalfOpenEnable
SynAttackHalfOpenDisable


Perhaps I would be better concentrating on perfecting Spoof Protection which may stop packets before even being evaluated by ISA...?

Any assistance gratefully received.

Kind regards,

James
Post #: 1
RE: SYN Attacks but on which NIC? - 20.Jan.2014 6:26:29 AM   
Jersey

 

Posts: 3
Joined: 5.Jan.2014
Status: offline
Anyone got any ideas on this one? Determining the NIC upon which the attacks are detected would be most helpful and surely possible!?

Regards,

James

(in reply to Jersey)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Logging and Reporting >> SYN Attacks but on which NIC? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts