Jump to content
bbenz

TCP SYN Flood Attack - Router IP

Recommended Posts

Hello,

ESET Smart Security keeps warning me of a TCP SYN Flood Attack for the past couple months. When I view more information, the IP address is 192.168.1.1 (my router IP). My router is a Netgear Nighthawk AC1750 (R6700v2) if that helps. 

Any ideas on what can be causing this?

Thanks!

eset1.PNG

Share this post


Link to post
Share on other sites

Looks like a weird behavior of the router. For information about TCP SYN flood attack, you can read more here. Since it a trusted device, you can create an exception for the detection by clicking Change handling of this threat.

Share this post


Link to post
Share on other sites

Also check your router settings and ensure your WAN settings are properly setup to prevent DoS attacks. This activity should have been blocked by the router. Also, check your router logs for DoS log entries:

Quote

Manage the WAN Security Settings

The WAN security settings include port scan protection and denial of service (DoS) protection, which can protect your LAN against attacks such as Syn flood, Smurf Attack, Ping of Death, and many others. By default, DoS protection is enabled and a port scan is rejected.

You can also enable the router to respond to a ping to its WAN (Internet) port. This feature allows your router to be discovered. Enable this feature only as a diagnostic tool or if a specific reason exists.

To change the default WAN security settings:

1. Launch a web browser from a computer or mobile device that is connected to the network.

2. Enter http://www.routerlogin.net.

A login window opens.

3. Enter the router user name and password.

The user name is admin. The default password is password. The user name and password are case-sensitive.

The BASIC Home page displays.

4. Select ADVANCED > Setup > WAN Setup.

The WAN Setup page displays.

5. To enable a port scan and disable DoS protection, select the Disable Port Scan and DoS Protection check box.

6. To enable the router to respond to a ping, select the Respond to Ping on Internet Port check box.

7. Click the Apply button.

Your settings are saved.

http://www.downloads.netgear.com/files/GDC/R6700v2/R6700v2_UM_EN.pdf

-EDIT- To ensure your router hasn't been hacked, make sure you change the default password of "password" to a strong password. If it appears your router settings have been changed by other than yourself, reset the router to default settings and reapply any previous custom settings you made. Finally, make sure your Netgear router firmware is up to date since there have been numerous past security vulnerabilities: https://www.cvedetails.com/vulnerability-list/vendor_id-834/Netgear.html .

Edited by itman

Share this post


Link to post
Share on other sites

Thanks - I did notice that I could make an exception, but it has never occurred before, so I wanted to figure it out and see what is actually going on. 

I did just update my router to the newest firmware. I noticed when I logged in there was an update. I have been good about logging on every now and then and updating. Since the newest update, I dont think I have seen the TCP SYN message again. I will continue to monitor over the next few days. 

 

8 hours ago, itman said:

The WAN Setup page displays.

5. To enable a port scan and disable DoS protection, select the Disable Port Scan and DoS Protection check box.

@itman - just to confirm, do I want to actually disable port scan and dos protection? Currently my settings are as follows:

 

eset3.PNG

Share this post


Link to post
Share on other sites
58 minutes ago, bbenz said:

@itman - just to confirm, do I want to actually disable port scan and dos protection?

No. Leave that setting as is.

Share this post


Link to post
Share on other sites
1 hour ago, itman said:

No. Leave that setting as is.

Will do. Also, the issue came back so the firmware update did not fix it. I've had ESET since getting this router and never had the issue. The router also has acted up a couple times the past week or two where the computers do not have internet access. I just wonder if this has to do with the issue.

Share this post


Link to post
Share on other sites

Next time it happens, click on "computer" in the Eset alert and post the IP address shown. Also post a screen shot of your Eset Network log showing the IP address/es associated with the TCP flood alerts.

Share this post


Link to post
Share on other sites
4 hours ago, itman said:

Next time it happens, click on "computer" in the Eset alert and post the IP address shown. Also post a screen shot of your Eset Network log showing the IP address/es associated with the TCP flood alerts.

Please see the attached screenshot. IP address: 192.168.1.1

How do I get the ESET network log?

eset1.PNG

Share this post


Link to post
Share on other sites

I assume 192.168.1.1 is your router's IP address.

Check your router's log to see if DoS log entries exist there. The NetGear .pdf link I provided previously will show how to access the router's log if you don't know how to do so. If no DoS log entries exist there, it appears that the router might be malfunctioning.

Edited by itman

Share this post


Link to post
Share on other sites

Below is a summarize description of what is detailed in the original link posted by @Marcos:

Quote

A SYN Flood attack is where the attacker (there are often many of them) sends a SYN packet to the target. The target then sends an ACK back to the attacker (or the IP that was spoofed by the attacker). During normal TCP session establishment a final ACK would be sent from initiator to the target (ACK'ing the ACK). In a SYN Flood attack this final ACK is never sent by the attacker (or the spoofed IP), causing the target to hold the session half-open until it eventually times out. During such timeout periods if enough sessions can be initiated by the attacker, the targets resources will be depleted and no new connections will be able to be established - A classic example of denial-of-service.

https://github.com/robcowart/elastiflow/issues/126

It appears to me that your router to endpoint device communication is not functioning properly. The router is not sending the final ACK to the endpoint device. Eset's IDS protection sees this resultant activity and throws the TCP SYN Flood attack. There also could be a problem with the Win network settings on the endpoint device.

Share this post


Link to post
Share on other sites

There are a lot of 207.69.0.0/16 subnet addresses in the log you posted. That IP address range is allocated to Earthlink.net. Is Earthlink your ISP? I would contact their tech support about all these TCP SYN ACK transmissions you are receiving and that are being blocked as a DoS attack by your router. You can refer them to your log upload link above. Also one specific IP address I checked, 207.69.195.84, has an imap. prefix for its associated domain name. This makes me think there might be an issue perhaps with their e-mail servers.

Somewhat of a mystery is IP address, 23.34.140.54, which appears to be a legit Akamai address. Again, it appears the issue lies with the transmissions being forwarded by your ISP.

Also your log shows WAN side router DoS attacks being detected and supposed to be dropped by the router there. As far as I am aware of, Eset is unaware of this activity and is only monitoring LAN side router activity. It appears the router is "leaking" WAN side DoS activity to the LAN side and this is what Eset's IDS is detecting. You would have to discuss this with Netgear as to why this might be happening. 

One possibility is that the router has been compromised with malware. Another is the DoS attacks have overwhelmed the router's blocking capability; not a pleasant possibility. Or for some unknown reason, this is by design in regards to TCP SYN Flood attack detection. For the time being, you can modify Eset IDS behavior in regards to this detection not to constantly alert you but still block it and log it if so desired. Refer to this: https://support.eset.com/kb2939/?locale=en_US&viewlocale=en_US on how to do so. If Netgear later informs you this is desired behavior, you can change the Eset IDS actions for this activity for block, notify, and log to "No."

Edited by itman

Share this post


Link to post
Share on other sites

Thank you! Thats a lot of good info. Yes, Earthlink is my ISP. Question - How did you trace the IP's? 

I guess the next step would be to contact Netgear and my ISP to dive deeper into this. The internet cuts out every now and then and sometimes shuts off completely to where i need to reset the modem/router to get it back online.

Share this post


Link to post
Share on other sites
47 minutes ago, bbenz said:

How did you trace the IP's

I use Robtex: https://www.robtex.com/

47 minutes ago, bbenz said:

The internet cuts out every now and then and sometimes shuts off completely to where i need to reset the modem/router to get it back online.

Another possibility of what is occurring is NetGear is controlling the SYN/ACK activity from the LAN side of the router. Eset IDS sees this activity and is blocking it. This in turn eventually locks up the router. Again, you need to get info from Netgear on how the router responds to these TCP SYN flood attacks. It may end up that you will have to have Eset IDS allow this activity from the router, 192.168.1.1, only.

-EDIT- This posting is worth a read; scroll down to the end: https://community.netgear.com/t5/Cable-Modems-Routers/DoS-attack-SYN-Flood-Network-activity-stops/td-p/1504584 . Appears HP printer's might be the culprit.

Edited by itman

Share this post


Link to post
Share on other sites

One last thing.

Your router log is interspersed with ICMP flood entries. This is basically a "ping" attack. What is interesting is they all originate from IP address, 66.151.55.xxx. This address is associated with Internap Corporation who is a major Internet backbone infrastructure provider. Why they would be performing such activity against your device is very much a mystery. Also to be determined is if these are in any way related to the TCP SYN ACK activity.

Are you a gamer by any chance?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×