I keep getting all kinds of SYN Flood, UDP Flood, and Land Attacks recorded in the firewall log of my router. They are attacks coming from within the network. There are about 50 people connected to this network with their personal laptops, etc. Any ideas how to catch the culprits and stop the attacks? They keep causing the router to crash. The IP addresses recorded are usually spoofed.
jelze had written this in response to
Grab the MAC address from the spoofed packets and check ARP tables on your switches.
------------------------------------- Sean wrote:
Layer 2 is the only way to find it if the ip's are spoofed. For that matter they may be spoofing layer 2 as well. If that is the case check your switches for interface counters and see if one port is sending alot more traffic than another. Keep in mind if your VLANing then your trunk ports will be on that list of high traffic.
Once you find your high traffic ports/mac addresses of the offender, unplug them from the switch and verify if your still having problems.
Just dont unplug your trunk ports unless your willing to face the wrath of the angry mob of users who will be looking to have your head when they can't connect anymore to the network.
Good luck.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.