I have a terminal server (Windows Server 2012) accessed by several RDP clients that go through a Dell Sonicwall firewall (Firmware Version: SonicOS Enhanced 5.9.1.7-2o) The firewall log keeps reporting that it is getting TCP flood attacks from the server. These come in waves every few minutes and the destinations are to the RDP clients. Does anyone know what could cause this? I don't think it is malware because the server is clean. Users report sometimes their clients go down and reconnect - but it does not seem to correlate with the floods. Users also report very slow RDP service. I'm including some firewall log output here - I have tried to look for this issue online but have not found anything similar. Please help! Thanks!
Sample log output:
11:21:35 Oct 151371WarningPossible TCP Flood on IF X0 - src: 192.168.0.119:3389 dst: 192.168.4.58:58290 - rate: 420/sec continues
11:21:35 Oct 151369AlertPossible TCP Flood on IF X0 - src: 192.168.0.119:3389 dst: 192.168.4.58:58290
11:18:46 Oct 151371WarningPossible TCP Flood on IF X0 - src: 192.168.0.119:3389 dst: 192.168.7.110:61503 - rate: 476/sec continues
11:18:46 Oct 151369AlertPossible TCP Flood on IF X0 - src: 192.168.0.119:3389 dst: 192.168.4.58:58290
11:15:05 Oct 151371WarningPossible TCP Flood on IF X0 - src: 192.168.0.119:3389 dst: 192.168.4.53:54801 - rate: 852/sec continues
11:15:04 Oct 151369AlertPossible TCP Flood on IF X0 - src: 192.168.0.119:3389 dst: 192.168.4.53:54801
11:13:58 Oct 151371WarningPossible TCP Flood on IF X0 - src: 192.168.0.119:3389 dst: 192.168.4.53:54801 - rate: 641/sec continues