How to Stop LAN side SYN FLOOD DoS?

**ChaosOrb** · 02-07-2009, 10:51 AM

Good Day Network Experts, I need some advise and technical expertise. I have a friend who has an Internet cafe business, they have at least fifty (50) workstations and growing. All is well and the business is going steady. But one day, they have experience intermittent connection from their Internet Connection, they keep calling their ISP but their ISP keep saying that Internet connection from their end is fine and well.

My friend became desperate, because they are loosing customers for days, and this has been going on for almost two weeks already. So I agreed to help, I isolated their Internet connection and their ISP is true to their word, they have 4.x mbps speed and it's stable. I switch their Internet connection back to LAN, and it went back to normal, after a few hours, there it goes again, intermittent connection and most of the time, no connection at all. I tried to access, their ROUTER settings through the web interface, and all is well and everything is intact and correct. There are also time that I can't access the router page. Again I isolated their router, and accessed the logs, I found out that they are suffering from a Denial of Service attack, and to my surprise, it's not coming form the outside, it's coming form the inside the LAN, from their workstations.

I investigated further and discovered that their workstations are full of worms/trojans/viruses. Upon isolating the workstations, it was confirmed that the workstations are causing the SYN FLOOD attack, workstations made a lot of half-opened connections to the router leaving the router choked and exhausted all resources to create a new connection for other workstation.

I enabled the FIREWALL feature of the ROUTER, and the Internet Connection was stable for a while but down again. But upon reading further, the router's FIREWALL feature is set to defend WAN side DoS(SYN FLOOD) attack, but not from the inside (LAN).

I've search around and I can't get any concrete steps/techniques that would stop SYN FLOOD DoS from the inside. Is there any workaround for this? Have you experience anything like this? How did you overcome this problem without resorting to formatting and doing a fresh install of the workstations?

Below is their Network Structure:

DSL MODEM ----> Edimax Router ---> 2 (24 port) HUBS + 1 (Secure )WIFI AP + 1 Edimax (24 port) HUB/SWITCH

**L1Technician** · 02-07-2009, 11:33 AM

My share of thoughts.

I enabled the FIREWALL feature of the ROUTER, and the Internet Connection was stable. But upon reading further, the router's FIREWALL feature is set to defend WAN side DoS(SYN FLOOD) attack, but not from the inside (LAN). Yes your right.

Ive tried checking my D-Link router configuration page but there is no settings even for my router blocking the LAN side DoS(SYN FLOOD).

As what you have mentioned there workstations are full of worms/trojans/viruses, you could find a remedy for the Floods going on the LAN but still the worms/trojans/viruses is active. And can eat a lot of RAM usage and slowing down the applications.

Since you already isolate the problem, I go for formatting. It may eat a lot of time but its worth it.

Just to add Im not a Network Expert.

**ChaosOrb** · 02-07-2009, 12:19 PM

As of the moment they are reformatting their workstations, that what I told them to do, at least that would solve a lot of issues from their end and that's what causing their main problem.

Their next problem napud ani kay ang mga applications, and online games, heheheh, kabuang jud na sila ug patch..hehehehe

**Rise Clan "flipdruid"** · 02-08-2009, 02:03 PM

same ra man cguro ilahang specs sng mga unit...

mg use nlng cla ug ghostpe pra cloning nlng....

**marber** · 02-08-2009, 09:05 PM

ako kasulay kog ingon ana nga experience sa akong 4 ka branches nga cafe nga akong gi maintain bro. magwala2x ang net, mohinay sad nya usahay dili na maka network. Mao tong ako gyud observe ug maau nya akong nasuta nga naay trojans/virus. ang ako gibuhat ato bro ky mao ni:

1. gi turn off nko ang auto update sa control panel ug gi-disable did2 sa Computer Management >services
2. nya gi reset nko ang winsock using netsh command line tool
3.then download kog hotfix for winxp nya giinstall
4. gi disable nko ang port 135 ug port 445

restart every after doing each step. Apply to all workstations.
Karon ok na kaayo ang dagan sa net. Mas dali ni nga paagi kay sa magreformat ka. Kapoy kayo mag install sa mga games ug mag patch sa online.

**L1Technician** · 02-08-2009, 10:11 PM

Originally Posted by marber

ako kasulay kog ingon ana nga experience sa akong 4 ka branches nga cafe nga akong gi maintain bro. magwala2x ang net, mohinay sad nya usahay dili na maka network. Mao tong ako gyud observe ug maau nya akong nasuta nga naay trojans/virus. ang ako gibuhat ato bro ky mao ni:

1. gi turn off nko ang auto update sa control panel ug gi-disable did2 sa Computer Management >services
2. nya gi reset nko ang winsock using netsh command line tool
3.then download kog hotfix for winxp nya giinstall
4. gi disable nko ang port 135 ug port 445

restart every after doing each step. Apply to all workstations.
Karon ok na kaayo ang dagan sa net. Mas dali ni nga paagi kay sa magreformat ka. Kapoy kayo mag install sa mga games ug mag patch sa online.

But trojans/viruses is still active. It may work but what you have done is a remedy.

Thread: How to Stop LAN side SYN FLOOD DoS?

Thread Tools

Search Thread