SYN Attacks but on which NIC? (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Logging and Reporting



Message


Jersey -> SYN Attacks but on which NIC? (5.Jan.2014 10:17:39 AM)

Hi Tom and others and a Happy New Year...

I have a client who has recently been suffering SYN Attacks. They are running ISA 2004 SP3 Enterprise. 'Alerts' reports "ISA Server detected a possible SYN attack and will protect the network accordingly." and I believe it is doing this when the number of half-open TCP connections hits 1,000 by default.

We would ideally like to know which network card the attacks are coming in on. We obviously suspect they are coming from the External (internet) interface but want to rule out the possibility of them coming from the internal network. ISA will report which 'Network' it suspects the attacks to be coming from but basis this solely on source IP address and as most IPs are Spoofed it will inaccurately report the network in a lot of instances. It would therefore be more useful to know which NIC it received the traffic on. I have tried adding 'Network Interface' as a column in Logging but this field is unpopulated with SYN Attack traffic... and yes, 'Log dropped packets' is enabled so the packets do appear in the logging.

Once we have confirmed the actual source of the attacks we can better investigate preventing them from hitting ISA... probably by means of increasing the protection from upstream NIP devices etc.

Also, I have found that adding the following two registry keys and amending values for them can alter ISA's sensitivity to attacks but have yet to find that doing so is officially supported. Can anyone point me toward any document in this regard?

HKLM\SYSTEM\CurrentControlSet\Services\Fweng\Parameters:

SynAttackHalfOpenEnable
SynAttackHalfOpenDisable


Perhaps I would be better concentrating on perfecting Spoof Protection which may stop packets before even being evaluated by ISA...?

Any assistance gratefully received.

Kind regards,

James




Jersey -> RE: SYN Attacks but on which NIC? (20.Jan.2014 6:26:29 AM)

Anyone got any ideas on this one? Determining the NIC upon which the attacks are detected would be most helpful and surely possible!?

Regards,

James




Page: [1]