I am having a problem on my TMG 2010 SP2 Update Rollup 4. It is detecting a Syn attack and locking down the network connections Until I reboot. I cannot seem to track down the offending IP. Can anyone tell me where to find the log that would have this information? I looked at all the logs around that time, but nothing really jumps out as the culprit. Any help would be appreciated.

Hi,

Before going further, let us check if the log configuration is proper.

http://technet.microsoft.com/en-us/library/bb794937.aspx

How did you judge that your machine is involed in a SYN attack, is it a  TCP half-open attack?

You should configure flood mitigation to defend the similar threats.

http://technet.microsoft.com/en-us/library/cc995121.aspx

Best Regards

Quan Gu

I have verified that logging is enabled to MSDE. Also, the flood mitigation settings are configured per the link above. The SYN attack message was an alert in TMG monitoring.

I have some more information now, though. It appears to be caused by a PC with a Zero Access Trojan. We fixed that and no other syn attacks have happened. I found it by looking at the traffic around each attack and this one internal IP was present at each time. I REALLY wish there was a way to configure TMG to put the IP address of the suspected SYN attack in the alert. That seems like something that everyone would want.

Hi,

sorry to say that TMG has discontinued, so MS may do nothing on it any more.

Best Regards

Quan Gu

Hi,

sorry to say that TMG has discontinued, so MS may do nothing on it any more.

Best Regards

Quan Gu

• Marked as answer by Quan GuMicrosoft contingent staff, Moderator Monday, February 10, 2014 5:12 AM

How could you know syn attack ip.

How we could kill syn attack?