Detected TCP Flooding attack

[MikeCorsten 0]

Hi

 

 

Wondering if anyone can shed any light on the issue that's just shown from my Eset Smart Security software.

 

I was browsing on my laptop when a pop-up warned me of a detected TCP flooding attack and gave me the IP address which is on my network.

 

I have logged into my router and saw that it was the IP address of my partner's smartphone.

 

I've asked he what she was up to and she said she'd just sent a photo via WhatsApp and then was browsing Facebook.

 

Can anyone shed any light as to what the phone has attempted to do?

 

 

I've looked online but more than likely am Googling the wrong phrase.

 

PS I have run a scan on her phone and nothing has come up.

 

Thanks for reading

[itman 1,659]

It's a denial of service attack as noted here: https://security.radware.com/ddos-knowledge-center/ddospedia/tcp-flood/

 

Question is why was that smartphone connecting through your network? Letting the phone connect through your router is a no-no.

[MikeCorsten 0]

Hi

 

I've totally forgotten that I'd posted this on here.  Some reason I expected to get a notification that I received a reply.

 

Anyway, I do not understand your reply, how else can I get the phone to connect to our home WiFi?

[itman 1,659]

Hi

 

I've totally forgotten that I'd posted this on here.  Some reason I expected to get a notification that I received a reply.

 

Anyway, I do not understand your reply, how else can I get the phone to connect to our home WiFi?

I have a similar situation in my household.

 

My daughter has a smart phone. To safe her on bandwidth charges, her boyfriend set up the phone to use my router's wireless connection w/o my knowledge. All someone needs to do such a setup is to know the SID and passcode which is usually prominently posted on the side or back of the router. Appears you are already aware of all this.

 

If you are running WIN 10, it has an auto proxy feature that will allow devices connected to the router's wireless network to connect to WIn 10's Wi-Fi network. Win 10 actually uses those router's wireless assigned ports to send its telemetry, etc. back and forth from your PC. Eset likewise uses those ports.

 

Appears your partner's smart phone might have malware on it that is attempting to access Win 10's Wi-Fi network. That is what Eset's IDS protection is detecting. Best you remove your partner's smart phone from your router's wireless network until it can be checked out for malware.

[MikeCorsten 0]

The router is set to deny all devices unless added and the SSID isn't the same on the router as I changed it.

 

 

 

 

 

I have several devices that connect to the internet via the router.  Consoles via a wired connection and laptop (Running Win 10)  2 x smartphones and 2 x tablets that connect wirelessly.

 

I've run Eset's own software on her phone and it has detected no threats.

 

I have run another security package on her phone and that also detected no threats.

 

It doesn't make sense.

Edited August 26, 2016 by MikeCorsten

[itman 1,659]

Do you have your firewall profile set to Public?

[MikeCorsten 0]

Nope

[itman 1,659]

FYI - you should always use the Public profile for a wireless network even if the PC is used exclusive in a home environment. That profile enables IDS and corresponding firewall rules to protect your PC from other devices that use your router's LAN. The use of the private profile definitely explains how your partner's smartphone could access your PC.

 

Additionally, I recommend that all file and printer sharing be disable along network discovery for your Wi-Fi connection.

[ken1943 22]

I have three Win 10 computers all with my Daughter's printer and laptop on the same WiFi network. The only thing we can access is the printer. Do some research to find out how Win 10 really works before commenting.

[MikeCorsten 0]

My firewall is set to default to what Eset offers when setting up my home profile upon installation.  So to me, Public doesn't even sound right, in fact, I wouldn't even know this was an option for a home network,  hence my immediate answer.  I don't have any printers on my network.

 

All I was asking was if anyone would be able to shed any light as to what this flood was.  I'm beginning to think it was a false positive

[ken1943 22]

I guess Public would block more activity from a home network, but I doubt that use of it. I also use WiFi with my smart phone when I

am home. I and my Grandsons iPads only have WiFi and I have never seen any problems.

I would just ignore it because the firewall did what it was designed to do.

[MikeCorsten 0]

Magic, I appreciate that ken1943 and I believe you are right in what you are saying.  Many thanks

[itman 1,659]

I have a theory on this. Take with a grain of salt if you wish.

 

Use of smartphones as part of a botnet are well documented on the web. One of the biggest DDos attacks was done against Cloudflare as noted here: hxxp://bhconsulting.ie/securitywatch/?p=2815 . My theory is the smartphone in question is/was part of a botnet. Since the smartphone in question here was connected to a home router LAN, the TCP flood activity was misdirected to the users PC rather than to its original external web server target. 

 

Or ....... Eset has botnet protection. There is not much documentation on how it works or what alerts are displayed. However, it seems logical to me it is using IDS to detect abnormal activity from devices on the LAN such as a flurry of outbound TCP syncs from a device.

Edited August 28, 2016 by itman