• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SYN Attack Protection is ISA Server 2004...

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> SYN Attack Protection is ISA Server 2004... Page: [1]
Login
Message << Older Topic   Newer Topic >>
SYN Attack Protection is ISA Server 2004... - 13.Oct.2004 6:49:00 PM   
fsaifie

 

Posts: 48
Joined: 23.Jul.2004
Status: offline
Hi Tom,

Its me again..
After suffering from the fact that you cannot use web chaining and firewall chaining in Site to site VPN Scenario (checkout VPN Section) now i (actually most of our users) face another problem..ISA Server 2004 generates alert that it is under SYN Attack and it is gonna pretect itself and after that many of our users just cant get to the internet and guess what the first victum was our GM...it gives them the box to login and just dont accept credentials and when it generates alert again that system is no longer under SYN attack..everything goes normal...well personaly i feel it is a good security measure but not users...they are pissed...they simply say that why it is happening now also our managers ..they just simply say "WELL...It was not happening before when we have ISA Server 2000...and there was no problem like this and internal users was not suffering then why now...????" Good question huh..?
so its looks like to me that it is dropping also internal connections to internet so "[Roll
I went into registry and want to ask you what if i disable SynAttackProtect entry by setting the value to 0...Will it help or i will invite some other problems ...also is there any other way to solve this ...

Thank you...and i think we really need your book ASAP...
Post #: 1
RE: SYN Attack Protection is ISA Server 2004... - 18.Oct.2004 2:12:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Faisal,

Why are you getting SYN attacks detected? I've never seen that. Do you know?

Thanks!
Tom

(in reply to fsaifie)
Post #: 2
RE: SYN Attack Protection is ISA Server 2004... - 19.Oct.2004 8:38:00 PM   
fsaifie

 

Posts: 48
Joined: 23.Jul.2004
Status: offline
No Dr....I dont have any idea ...i thought it will be the new feature in ISA 2004...Because it says.."THE SYSTEM IS UNDER SYN ATTACK AND IT WILL PROTECT ITSELF ACCORDINGLY.."then it was dropping internal users connections...and after few minutes ...another alert appears "THE SYSTEM IS NO LONGER UNDER SYN ATTACK..."and everything went normal..WAIT A MINUTE!...u mean it is not normal and there is nothing like it in ISA 2004...? then it is strange that why we were experiencing it...I said were because i just revert back to ISA 2000 and will go back again to ISA 2004 when that web chaining issue will be resolved... [Roll Eyes]

(in reply to fsaifie)
Post #: 3
RE: SYN Attack Protection is ISA Server 2004... - 20.Oct.2004 11:06:00 PM   
grinn253

 

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline
Maybe this will assist?
http://support.microsoft.com/default.aspx?scid=kb;EN-US;838114

Edgardo

(in reply to fsaifie)
Post #: 4
RE: SYN Attack Protection is ISA Server 2004... - 21.Oct.2004 12:41:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hey guys,

The ISA firewall will protect itself from SYN attacks, but I'm wondering why you're getting them. Why are the clients attacking the firewall? I'd investigate the clients and see what the problem is.

HTH,
Tom

(in reply to fsaifie)
Post #: 5
RE: SYN Attack Protection is ISA Server 2004... - 21.Oct.2004 10:25:00 PM   
fsaifie

 

Posts: 48
Joined: 23.Jul.2004
Status: offline
The way ISA Server 2004 was picking the clients was random...I mean it was dropping some of the connections not all of them and it was happening randomly ...not on some particular machines so i didn't think that somebody from inside was trying to launch any malicious activity...and most of the victums were not very tehnical guys they just use http nothing else...not even some malicoius programs like P2P sharing or anythng like it. I also used ethereal to capture network traffic and seems everything is normal..Also i was using signatures to block Kazaa and some other programs...But YES...ISA was giving the spoof attack alert as well and the address mentioned was the address of one of the branch office ISA Server which was connected via Site to Site VPN...and yes it will be really intresting to troubleshoot that problem if it happens again in the future but as i told you the main reason for us to go back to ISA Server 2000 was the web chaining issue because branch office users was crying like hell for the internet so we had to go back...so i am waiting for the web chaining fix so that i can again upgrade my ISA Server 2000 to ISA Server 2004...
Thanks a lot once again for your kind help and also thanks to grinn253 for his pointer...
This site really Rocks... [Smile]
Faisal S

(in reply to fsaifie)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> SYN Attack Protection is ISA Server 2004... Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts