09-03-2010 08:47 AM - edited 09-03-2010 08:53 AM
I have the WCG200 Cable Gateway. I have noticed over the last month that our connection stops working around the same times every night on a regular basic.
In the Administrator logs it shows SYN FLOOD, I've been monitoring this and it doesn't seem to have any effects on my connection based on the time entry in the log. However a short while afterwards my service provider as shown in the logs as an entry "TCP or UDP Port Scan" shows up, with my service providers IP, and it's at this time that my connection stops working.
The only remedy to fix this problem is to turn the router off and back on, which I should mention I don't have to wait any amount of time, just off and on and it's back up and running.
I've tried several things to try and remedy this problem, I've selected "Block Fragmented Packets", I've tried setting up Port Forwarding to where then the SYN FLOOD Happens it goes to an unused port. I have also setup a DMZ Zone and that doesn't seem to help.
The strange thing is, even after getting assigned a new Gateway IP address by leaving my modem unplugged and "Ipconfig /release then /renew", and changing my "LOCAL IP ADDRESS" . This problem still occurs.
I say the SYN Floods have no effect, but it could be that the last log entry is when the router locked up, "But that wouldn't explain the TCP/UDP Port Scans showing up in the logs later would it:?
I should mention I have done complete clean format and reinstall of the operating systems on both our computers to be absolutelly sure there is not a virus/spyware causing the problem. And made sure the ROUTERS FIREWALL IS ON.
Also, "Wireless Networking is turned OFF", we don't use wireless, everything is a wired connection.
What I find the strangest of all, the part I really can't understand is the "SYN FLOODS" are always Targeting my "LOCAL IP" address - "The address that I give the router which I changed", Even after changing it they always target my local ip address. "If someone were trying to hack my router - HOW could they get that address? And is there anyway to prevent them from getting it"? Doesn't matter what I change it to, it's always directed at LOCAL IP address in my router.
As for Website we vist there are only a few and they are well known legitamite websites.
The Syn Flood IP Address are not always the same addresses, but, over time I have found they are being generated from the same general areas around the country with once in about every ten coming from another country.
Don't know if this will help, but today I turned off "Local DHCP" just to see if that has any effect.
Any information would be appreaciated on this subject.
I should mention that I have contacted my service provider and they said they could not help me because I didn't get the Gateway/Router from them.
I'm just looking for ideals on how I might could solve this problem.
I am probably going to change service providers due to their lack of support.
Is it possible for someone outside of my ISP's network to get the Mac Address of my router and target it with SYN Floods?
Thanks in advance for any advice or information.
Solved! Go to Solution.
09-03-2010 10:27 AM
09-05-2010 09:02 AM
Thanks, I'll post the logs here in a day or two. I reset my router so everything would be default settings. The only things that I changed from the default settings were :
1 : I turned on "Block Fragmented Packets".
2: Turned off wireless connectivity, only our 2 wired computers can use the router.
3: Ofcourse I changed the password and made sure "Remote Administration was turned off".
Everything else is set to factory defaults. When I reset the router I lost the logs, that's why it's going to take a few days, I have no doubt I will have the same problems.
Something I should mention, I can turn off the router and use one computer at a time just using the modem and don't have any problems with the connection whatsoever. Although it limits us to 1 computer at a time where I have to unplug one cable and plug in the other to use another computer.
What exactly does the firewall in the router cover? Does it just protect the router or is it a secondary protection for the pcs connected to it? The reason I ask, if it's not needed can I turn it off and let our PC's firewall protect the connection? What I am wondering is, since I have no problem when I turn the router off and it's not using the firewall, could the firewall be the whole problem?
09-06-2010 02:10 PM
You can definitely try to disable the firewall on the router and check if that helps you.
Also, try to upgrade/re-flash the firmware on the router and then check.
09-07-2010 08:10 AM
Thank you for replying. I have one question though, if I understand this right then the Firewall on the router is more like a secondary hardware protection to defend your computer.
I have a good firewall on my computer, I am currently using Comodo.
If I turn off the Router Firewall will it leave the router exposed to any type of attack? That's my only concern. I don't have a great enough understanding of exactly what the Firewall does.
Can a hacker Attack hardware such as a router without the Firewall on? I know it has memory for saving it's configuration and that's my only concern with turning it off. I wonder if they couldn't somehow use that small memory saving location as a hub for transmitting viruses or gathering information from my computers as they transmit through the router without the firewall turned on.
LOL, I apologize for all the questions, I'm trying to figure this problem out and don't know enough about it to properly explain things.
09-07-2010 08:35 AM
09-07-2010 09:15 AM
That answers my question as to what exactly it is that the firewall on the router does.
If you search the internet it get's confusing because there are so many people who talk about not even using a firewall on their router.
I knew that your computers needed a Firewall, I just wasn't sure about the router.
I am leaving it on.
The Syn Floods have started to get less and less the last day or so. And the TCP/UDP scan by my ISP are getting less and less. But it's still causing a problem.
Something that seemed to have helped, but I didn't like it because it left me in the dark. I turned off the logging feature for port scans. That seemed to help. Maybe I am just thinking this hoping things are better. What I was thinking is if the scans are confusing the router and haulting the connection on the router with the high numbers on the reporting then perhaps turning it off altogether might prevent the router from getting confused, that is if that is if it is a flooding problem.
I'm guessing on all of this.
09-07-2010 09:55 AM
09-07-2010 03:49 PM - edited 09-07-2010 03:50 PM
This entry that says source in the Administrator logs in the router. When I check the address on the ip checking sites it comes back as my service provider.
Description Counter Last Target Source
|TCP- or UDP-based Port Scan||19||Tue Sep 07 17:33:44 2010|| My IP address ||18.104.22.168:53|
The IP from the source comes back as Charter which is my service provider. At least that's what the "What is my Ip" is telling me when I enter that address. I don't understand it, and they are unwilling to help me with anything since I don't use their "Net Gear" brand router.
I will probably be changing service providers at the end of the month, until then I'm stuck with what I got.
Thank you for the reply and information.
09-08-2010 10:48 AM
Here are my recent Firewall logs from the Administration menu -
My internet IP has been replaced with the "*" symbol, although I left my local IP.
TCP- or UDP-based Port Scan (24) DETECTED on Tue Sep 07 19:08:43 2010
targeting ***********, sent from 22.214.171.124,53
SYN Flood (41) DETECTED on Tue Sep 07 19:10:07 2010
targeting 192.168.0.12,50819, sent from 126.96.36.199,80
TCP- or UDP-based Port Scan (7) DETECTED on Wed Sep 08 03:52:54 2010
targeting ***********, sent from 188.8.131.52,53
SYN Flood (10) DETECTED on Wed Sep 08 04:28:59 2010
targeting 192.168.0.10,1294, sent from 184.108.40.206,80
TCP- or UDP-based Port Scan (1) DETECTED on Wed Sep 08 04:29:03 2010
targeting ************, sent from 220.127.116.11,53
SYN Flood (3) DETECTED on Wed Sep 08 04:36:43 2010
targeting 192.168.0.10,1397, sent from 18.104.22.168,80
TCP- or UDP-based Port Scan (3) DETECTED on Wed Sep 08 06:27:21 2010
targeting ***************, sent from 22.214.171.124,53
SYN Flood (2) DETECTED on Wed Sep 08 06:27:41 2010
targeting 192.168.0.10,2078, sent from 126.96.36.199,80
TCP- or UDP-based Port Scan (7) DETECTED on Wed Sep 08 10:30:59 2010
targeting ****************, sent from 188.8.131.52,53
SYN Flood (2) DETECTED on Wed Sep 08 12:29:56 2010
targeting 192.168.0.12,50176, sent from 184.108.40.206,80
TCP- or UDP-based Port Scan (1) DETECTED on Wed Sep 08 12:30:00 2010
targeting **************, sent from 220.127.116.11,53