Jump to content

Leaderboard


Popular Content

Showing content with the most kudos on 02/09/2019 in all areas

  1. 1 point
    itman

    TCP SYN Flood Attack - Router IP

    There are a lot of 207.69.0.0/16 subnet addresses in the log you posted. That IP address range is allocated to Earthlink.net. Is Earthlink your ISP? I would contact their tech support about all these TCP SYN ACK transmissions you are receiving and that are being blocked as a DoS attack by your router. You can refer them to your log upload link above. Also one specific IP address I checked, 207.69.195.84, has an imap. prefix for its associated domain name. This makes me think there might be an issue perhaps with their e-mail servers. Somewhat of a mystery is IP address, 23.34.140.54, which appears to be a legit Akamai address. Again, it appears the issue lies with the transmissions being forwarded by your ISP. Also your log shows WAN side router DoS attacks being detected and supposed to be dropped by the router there. As far as I am aware of, Eset is unaware of this activity and is only monitoring LAN side router activity. It appears the router is "leaking" WAN side DoS activity to the LAN side and this is what Eset's IDS is detecting. You would have to discuss this with Netgear as to why this might be happening. One possibility is that the router has been compromised with malware. Another is the DoS attacks have overwhelmed the router's blocking capability; not a pleasant possibility. Or for some unknown reason, this is by design in regards to TCP SYN Flood attack detection. For the time being, you can modify Eset IDS behavior in regards to this detection not to constantly alert you but still block it and log it if so desired. Refer to this: https://support.eset.com/kb2939/?locale=en_US&viewlocale=en_US on how to do so. If Netgear later informs you this is desired behavior, you can change the Eset IDS actions for this activity for block, notify, and log to "No."
×
×
  • Create New...