[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Ungodly number of SYN rejects, FW4.1 SP5
I have a client with a 4.1 SP5 firewall running on NT who is seeing an insane number of SYNDefender rejects in the logs. All the rejects show a wide variety of sources inside the internal private address range, which covers two class Cs and accordingly has a lot of workstations. The destinations are similarly all over the map, but single internal hosts are not trying to hit random ranges. It looks more like internal IP X tries to talk to external IP Y, flames out, the user tries another IP (maybe), and then gives up or hits something else that doesn't give a problem. Later on, we get a similar pattern with another internal IP, with no apparent connection to the first. And so on, and so on. The firewall is an active SYN gateway. I don't think I'm looking at compromised systems here-- there are too many of them, security and AV is fairly tight with diligent follow-up and follow-through, and while these were seen before, it looks like stuff got worse after getting the FW up from SP0 (!) to SP5. Also, nobody is reporting dead connectivity, we're just seeing the logs being flooded with junk. Any ideas? Anyone? ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|