Showing results for 
Search instead for 
Do you mean 
Reply
James T. Kirk
Posts: 11
Registered: ‎08-28-2010

Re: Problems with Port Scan and Syn Flood, and a few questions.

[ Edited ]

After several TCP/UDP scans is when the problem starts, after a while the internet connection stops and if I turn the router off and then back on it starts working again. I don't have to wait any amount of time, just turn it off and then back on and it's back up and running again.

 

I thought that my service provider my have been experiencing problems and working on their system but they did tell me there have been no reported problems in our area.

 

This has been happening over the last month. Not sure what's going on.

Expert
Expert
Posts: 12,649
Registered: ‎07-16-2006

Re: Problems with Port Scan and Syn Flood, and a few questions.

O.K. That's why it is always better to post logs in the beginning: Go to the Status page of your router and check the IP numbers of your DNS servers. You'll find 24.158.96.130 there.

What you see is not a port scan but simply DNS responses from your ISP. If this is really an attack someone must be able to spoof the DNS server IP address to send DNS packets. Although not absolutely impossible it's very unlikely to happen. If your ISP has problems with spoofing of their DNS server IP addresses they would have serious security issues.

Thus, more likely in this case is a firmware bug of the router. The router incorrectly identifies some DNS traffic as port scan and eventually decides to block the ISP DNS server. In that case you should still be able to ping IP addresses in the internet but not host names because DNS does not work anymore. For example, on a computer "ping 209.85.135.104" should still work but "ping www.google.com" won't.
James T. Kirk
Posts: 11
Registered: ‎08-28-2010

Re: Problems with Port Scan and Syn Flood, and a few questions.

[ Edited ]

Thank you. I've learned a lot from reading your information, and have lots more to learn. If it's a firmware bug then I assume that even if there was an upgrade from version 2 which is what my Wcg200 uses that I would have to get it from my service provider, and from what I have read, and since they don't support Linksys there's nothing I can do.I can understand why it's setup that way, I know there are security issues when it comes to fireware distribution.

 

The problem seems to getting better and better the last few days. It just started all the sudden over the last month, up until then there were no problems at all that I noticed.

 

Is there any settings in the router that I could change that might help?

 

Thanks again, I appreciate the information.

 

 

James T. Kirk
Posts: 11
Registered: ‎08-28-2010

Re: Problems with Port Scan and Syn Flood, and a few questions.

I just wanted to update and say I believe my problem has been solved and comment about what I believe it was incase it might help others in the future.

 

I tried everything to stop the syn flood attacks, and I had scanned my computer with everything you could imagine to check it for viruses/spyware and such and never found anything.

 

Finally, yesterday I tried Iobit's 360 security freeware and scanned my computer, it found a "Trojan Virus", and according to the description this virus was known for causing syn floods and other things, the program removed the trojan virus and it appears the syn floods have stopped altogether. I don't know why the other programs weren't finding this particular virus, perhaps it's new, but it appears that was my entire problem.

 

I know this isn't always the case with syn floods, but like I said this appears to have been my whole problem.

 

Just thought I would give anyone following this thread a update.

 

Thanks for the help and information.

 

SG-1
Posts: 3
Registered: ‎01-23-2013

Re: Problems with Port Scan and Syn Flood, and a few questions.

i know this topic is old but i was wonding if anyone can help me out

 

it started recently and only happens when i surf the web does it start up.

 

these ip are from my 3 cp i have on the network and this jump from cp to cp on who is using the web i had the cable guy come out here and replace everthing but it didnt solve the problem i aslo have wireless network not sure if it active hacker dont know. whatever it is its coming from all 3 of my pc and i fully reinstalled all of them. not sure  if i have virus or anything.                                                                                                              target ip                                  source ip

LAN-side UDP Flood1Wed Jan 23 07:57:26 2013 224.0.0.252:5355192.168.0.5:49512
TCP- or UDP-based Port Scan1Wed Jan 23 07:58:50 2013 174.134.79.205:1346209.18.47.61:53
SYN Flood15Wed Jan 23 08:00:15 2013 208.100.25.90:80192.168.0.4:2713
TCP- or UDP-based Port Scan4Wed Jan 23 08:21:29 2013 174.134.79.205:1660209.18.47.61:53
SYN Flood25Wed Jan 23 08:24:00 2013 208.74.204.125:80192.168.0.3:55981
earthmyrll120288
Posts: 1,037
Registered: ‎07-13-2012

Re: Problems with Port Scan and Syn Flood, and a few questions.

Hi SG-1,

 

This could be because of a virus of some sort. You might want to try using different anti-virus software to scan each computer in the network. As what James T. Kirk said, he was able to resolve the issue by using lobit’s 360. If you are using windows operating system, you can try Microsoft Security Essentials.

 

Though we are not sure that this is cause by a virus, doing this troubleshooting step might help solve the issue as it helped resolved James’ issue before.

 

Another explanation is posted by Expert gv in this thread:  

"O.K. That's why it is always better to post logs in the beginning: Go to the Status page of your router and check the IP numbers of your DNS servers. You'll find 24.158.96.130 there.

What you see is not a port scan but simply DNS responses from your ISP. If this is really an attack someone must be able to spoof the DNS server IP address to send DNS packets. Although not absolutely impossible it's very unlikely to happen. If your ISP has problems with spoofing of their DNS server IP addresses they would have serious security issues.

Thus, more likely in this case is a firmware bug of the router. The router incorrectly identifies some DNS traffic as port scan and eventually decides to block the ISP DNS server. In that case you should still be able to ping IP addresses in the internet but not host names because DNS does not work anymore. For example, on a computer "ping 209.85.135.104" should still work but "ping www.google.com" won't."

SG-1
Posts: 3
Registered: ‎01-23-2013

Re: Problems with Port Scan and Syn Flood, and a few questions.

thx for the reply i did have mircosoft security and i aslo dl the other anti virus and no threats dect. im still clueless on why it only start up when i open web browser maybe poor signal from brighthouse

techmein02
Posts: 78
Registered: ‎12-31-2012

Re: Problems with Port Scan and Syn Flood, and a few questions.

[ Edited ]

Is it with only one specific browser? How about using a different antivirus software just to make sure. And also consider using different browsers to further test it. And what is the device that you are using?

SG-1
Posts: 3
Registered: ‎01-23-2013

Re: Problems with Port Scan and Syn Flood, and a few questions.

i am using explorer 9 and mircosoft sec. i never had firefox or anything esle i dont know of anydevices atm.

Jake_2.0
Posts: 2,157
Registered: ‎05-29-2012

Re: Problems with Port Scan and Syn Flood, and a few questions.

[ Edited ]

Hi, it would be best if you will be able to follow techmein02’s instruction just for isolation. By the way, what is the brand and model number of your router? There’s also a possibility that there could be a problem of the firmware so you may need to upgrade the firmware if there’s a new update available.