Hi,
Before going further, let us check if the log configuration is proper.
http://technet.microsoft.com/en-us/library/bb794937.aspx
How did you judge that your machine is involed in a SYN attack, is it a TCP half-open attack?
You should configure flood mitigation to defend the similar threats.
http://technet.microsoft.com/en-us/library/cc995121.aspx
Best Regards
Quan Gu
I have verified that logging is enabled to MSDE. Also, the flood mitigation settings are configured per the link above. The SYN attack message was an alert in TMG monitoring.
I have some more information now, though. It appears to be caused by a PC with a Zero Access Trojan. We fixed that and no other syn attacks have happened. I found it by looking at the traffic around each attack and this one internal IP was present at each time. I REALLY wish there was a way to configure TMG to put the IP address of the suspected SYN attack in the alert. That seems like something that everyone would want.
Hi,
sorry to say that TMG has discontinued, so MS may do nothing on it any more.
Best Regards
Quan Gu
Hi,
sorry to say that TMG has discontinued, so MS may do nothing on it any more.
Best Regards
Quan Gu
- Marked as answer by Quan GuMicrosoft contingent staff, Moderator Monday, February 10, 2014 5:12 AM
How could you know syn attack ip.
How we could kill syn attack?