Showing results for 
Search instead for 
Do you mean 
Reply
James T. Kirk
Posts: 11
Registered: ‎08-28-2010
Accepted Solution

Problems with Port Scan and Syn Flood, and a few questions.

[ Edited ]

 

  I have the WCG200 Cable Gateway. I have noticed over the last month that our connection stops working around the same times every night on a regular basic.

 

In the Administrator logs it shows SYN FLOOD, I've been monitoring this and it doesn't seem to have any effects on my connection based on the time entry in the log.  However a short while afterwards my service provider as shown in the logs as an entry "TCP or UDP Port Scan" shows up, with my service providers IP, and it's at this time that my connection stops working.

 

The only remedy to fix this problem is to turn the router off and back on, which I should mention I don't have to wait any amount of time, just off and on and it's back up and running.

 

I've tried several things to try and remedy this problem, I've selected "Block Fragmented Packets", I've tried setting up Port Forwarding to where then the SYN FLOOD Happens it goes to an unused port. I have also setup a DMZ Zone and that doesn't seem to help.

 

The strange thing is, even after getting assigned a new Gateway IP address by leaving my modem unplugged and "Ipconfig /release then /renew", and changing my "LOCAL IP ADDRESS" . This problem still occurs.

 

I say the SYN Floods have no effect, but it could be that the last log entry is when the router locked up, "But that wouldn't explain the TCP/UDP Port Scans showing up in the logs later would it:?

 

I should mention I have done complete clean format and reinstall of the operating systems on both our computers to be absolutelly sure there is not a virus/spyware causing the problem. And made sure the ROUTERS FIREWALL IS ON.

 

Also, "Wireless Networking is turned OFF", we don't use wireless, everything is a wired connection.

 

What I find the strangest of all, the part I really can't understand is the "SYN FLOODS" are always Targeting my "LOCAL IP" address - "The address that I give the router which I changed", Even after changing it they always target my local ip address. "If someone were trying to hack my router - HOW could they get that address? And is there anyway to prevent them from getting it"?          Doesn't matter what I change it to, it's always directed at LOCAL IP address in my router.

 

As for Website we vist there are only a few and they are well known legitamite websites.

 

The Syn Flood IP Address are not always the same addresses, but, over time I have found they are being generated from the same general areas around the country with once in about every ten coming from another country.

 

Don't know if this will help, but today I turned off "Local DHCP" just to see if that has any effect.

 

Any information would be appreaciated on this subject.

 

I should mention that I have contacted my service provider and they said they could not help me because I didn't get the Gateway/Router from them.

 

I'm just looking for ideals on how I might could solve this problem.

 

I am probably going to change service providers due to their lack of support.


Is it possible for someone outside of my ISP's network to get the Mac Address of my router and target it with SYN Floods?

 

Thanks in advance for any advice or information.

Expert
Expert
Posts: 12,649
Registered: ‎07-16-2006

Re: Problems with Port Scan and Syn Flood, and a few questions.

1. It's really very difficult to comment on this without seeing those logs. Please post a log extract. That would help a lot. Same for those IP addresses. It would be easier if you simply posted those IP addresses maybe disguising the public IPs.

2. Which logs are you talking about anyway? Logs on your computer or on the router?

3. I don't understand this: "However a short while afterwards my service provider as shown in the logs as an entry "TCP or UDP Port Scan" shows up, with my service providers IP, and it's at this time that my connection stops working". How does your service provide show up in your logs??

4. The attacks do not target your LAN IP address. They target the public IP. If they happened to appear with your private IP address then the attack happen to match an existing connecting from your computer to an external IP address or you have forwarding, triggering, DMZ host or UPnP enabled.

5. If your ISP does not want to help you with SYN FLOOD or port scan problems which affect your internet connection then you should change the ISP. There is absolutely nothing you can do about this. Once the traffic arrives at your end it's already clogged up your bandwidth. The only place where something can be done is in the ISP network. All you can do is drop the traffic which happens automatically. But that won't free any bandwidth on your internet link.

6. The local IP address is useless in the internet. Noone is able to access your network with the private IP address like 192.168.1.*.

7. MAC addresses are only valid within an ethernet network. Noone outside the ISP network is able to make any use of it or use it to address your computer or router.
James T. Kirk
Posts: 11
Registered: ‎08-28-2010

Re: Problems with Port Scan and Syn Flood, and a few questions.

Thanks, I'll post the logs here in a day or two. I reset my router so everything would be default settings. The only things that I changed from the default settings were :

 

1 : I turned on "Block Fragmented Packets".

2: Turned off wireless connectivity, only our 2 wired computers can use the router.

3: Ofcourse I changed the password and made sure "Remote Administration was turned off".

 

Everything else is set to factory defaults. When I reset the router I lost the logs, that's why it's going to take a few days, I have no doubt I will have the same problems.

 

Something I should mention, I can turn off the router and use one computer at a time just using the modem and don't have any problems with the connection whatsoever. Although it limits us to 1 computer at a time where I have to unplug one cable and plug in the other to use another computer.

 

What exactly does the firewall in the router cover? Does it just protect the router or is it a secondary protection for the pcs connected to it? The reason I ask, if it's not needed can I turn it off and let our PC's firewall protect the connection?  What I am wondering is, since I have no problem when I turn the router off and it's not using the firewall, could the firewall be the whole problem?

 

 

forsaken
Posts: 2,800
Registered: ‎09-07-2006

Re: Problems with Port Scan and Syn Flood, and a few questions.

You can definitely try to disable the firewall on the router and check if that helps you.

Also, try to upgrade/re-flash the firmware on the router and then check.

James T. Kirk
Posts: 11
Registered: ‎08-28-2010

Re: Problems with Port Scan and Syn Flood, and a few questions.

Thank you for replying. I have one question though, if I understand this right then the Firewall on the router is more like a secondary hardware protection to defend your computer.

 

I have a good firewall on my computer, I am currently using Comodo.

 

If I turn off the Router Firewall will it leave the router exposed to any type of attack? That's my only concern. I don't have a great enough understanding of exactly what the Firewall does.

 

Can a hacker Attack hardware such as a router without the Firewall on? I know it has memory for saving it's configuration and that's my only concern with turning it off. I wonder if they couldn't somehow use that small memory saving location as a hub for transmitting viruses or gathering information from my computers as they transmit through the router without the firewall turned on.

LOL, I apologize for all the questions, I'm trying to figure this problem out and don't know enough about it to properly explain things.

 

 

Expert
Expert
Posts: 12,649
Registered: ‎07-16-2006

Re: Problems with Port Scan and Syn Flood, and a few questions.

1. Never ever turn off the firewall of the router. The firewall of the router protects the router. Without firewall you make the router vulnerable to attack from the internet. You don't want to operate your router without the firewall.

2. The firewall protects the router not your computer. It's not a "secondary hardware protection". You gain some additional protection on your computer because you use private IP addresses inside your LAN and thus NAT on the router. But NAT and firewall are two different functions.

3. The best firewall is the user in front of it.
James T. Kirk
Posts: 11
Registered: ‎08-28-2010

Re: Problems with Port Scan and Syn Flood, and a few questions.

Thank you! 

 

That answers my question as to what exactly it is that the firewall on the router does.

 

If you search the internet it get's confusing because there are so many people who talk about not even using a firewall on their router.

 

I knew that your computers needed a Firewall, I just wasn't sure about the router.

 

I am leaving it on. 

 

The Syn Floods have started to get less and less the last day or so. And the TCP/UDP scan by my ISP are getting less and less. But it's still causing a problem. 

 

Something that seemed to have helped, but I didn't like it because it left me in the dark. I turned off the logging feature for port scans. That seemed to help. Maybe I am just thinking this hoping things are better. What I was thinking is if the scans are confusing the router and haulting the connection on the router with the high numbers on the reporting then perhaps turning it off altogether might prevent the router from getting confused, that is if that is if it is a flooding problem.

 

I'm guessing on all of this.

 

Thanks again

 

 

Expert
Expert
Posts: 12,649
Registered: ‎07-16-2006

Re: Problems with Port Scan and Syn Flood, and a few questions.

I still don't understand what you mean with "TCP/UDP scan by my ISP". Your ISP should not scan anything. I don't understand what makes you think your ISP scans your router...
James T. Kirk
Posts: 11
Registered: ‎08-28-2010

Re: Problems with Port Scan and Syn Flood, and a few questions.

[ Edited ]

This entry that says source in the Administrator logs in the router. When I check  the address on the ip checking sites it comes back as my service provider.

 

 

Description                             Counter          Last                                                            Target                                                                                Source

TCP- or UDP-based Port Scan19Tue Sep 07 17:33:44 2010                            My IP address                                                   
24.158.96.130:53 

 

 

The IP from the source comes back as Charter which is my service provider. At least that's what the "What is my Ip" is telling me when I enter that address. I don't understand it, and they are unwilling to help me with anything since I don't use their "Net Gear" brand router.

 

I will probably be changing service providers at the end of the month, until then I'm stuck with what I got.

 

Thank you for the reply and information.

 

 

James T. Kirk
Posts: 11
Registered: ‎08-28-2010

Re: Problems with Port Scan and Syn Flood, and a few questions.

Here are my recent Firewall logs from the Administration menu -

 

My internet IP has been replaced with the "*" symbol, although I left my local IP.

 

Firewall Log
------------
TCP- or UDP-based Port Scan (24) DETECTED on Tue Sep 07 19:08:43 2010
 targeting ***********, sent from 24.158.96.130,53

SYN Flood (41) DETECTED on Tue Sep 07 19:10:07 2010
 targeting 192.168.0.12,50819, sent from 184.51.202.43,80

TCP- or UDP-based Port Scan (7) DETECTED on Wed Sep 08 03:52:54 2010
 targeting ***********, sent from 24.158.96.130,53

SYN Flood (10) DETECTED on Wed Sep 08 04:28:59 2010
 targeting 192.168.0.10,1294, sent from 72.21.91.19,80

TCP- or UDP-based Port Scan (1) DETECTED on Wed Sep 08 04:29:03 2010
 targeting ************, sent from 24.158.96.130,53

SYN Flood (3) DETECTED on Wed Sep 08 04:36:43 2010
 targeting 192.168.0.10,1397, sent from 199.7.71.72,80

TCP- or UDP-based Port Scan (3) DETECTED on Wed Sep 08 06:27:21 2010
 targeting ***************, sent from 24.158.96.130,53

SYN Flood (2) DETECTED on Wed Sep 08 06:27:41 2010
 targeting 192.168.0.10,2078, sent from 64.135.77.120,80

TCP- or UDP-based Port Scan (7) DETECTED on Wed Sep 08 10:30:59 2010
 targeting ****************, sent from 24.158.96.130,53

SYN Flood (2) DETECTED on Wed Sep 08 12:29:56 2010
 targeting 192.168.0.12,50176, sent from 74.120.15.30,80

TCP- or UDP-based Port Scan (1) DETECTED on Wed Sep 08 12:30:00 2010
 targeting **************, sent from 24.158.96.130,53