Hi Everyone, our organisation is currently experiencing an internal DDoS attack where compromised clients on our internal networks including from our remote offices via L3 MPLS are SYN flooding external hosts.
We're getting log messages from our firewall of:
Possible SYN Flood on IF [LAN interface] - src: [internal IP]:54252 dst: [Google Cloud IP]:443
Possible SYN Flood on IF [LAN interface] - src: [internal IP]:49757 dst: [Microsoft]:443 - rate: 377/sec continues
We've run multiple anti-virus scans with Trend Micro and Malware Bytes on the source hosts and found nothing. We have considered dropping the hosts from the network, but since it's distributed there are at least a hundred different end user devices we would need to block. The source port changes but the destination port is always 443.
The destination address also changes to various different providers (Google, Microsoft, AT&T, etc.)
At the same time, we're also getting port scanned continuously:
Possible port scan detected - TCP scanned port list, 33277, 39671, 2807, 18075, 26461
Does anyone have any ideas on what we can do?
No comments:
Post a Comment