[Help] Syncflood attack on Belkin in Security

[Help] Syncflood attack on Belkin in Security http://www.dslreports.com/forum/r22548453 en Fri, 04 Dec 2009 20:55:05 EDT Fri, 04 Dec 2009 20:55:05 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22637400 anon : Pick an internal address outside of the address block you are using and forward the offending port to that address.

Before doing that though, I recommend you check with the owner of the router and make sure he's not using a torrent prog, my solution could mess him up.]]> http://www.dslreports.com/forum/remark,22637400 Tue, 30 Jun 2009 22:50:45 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22582714 EGeezer : as NetFixer

says, the random ports and IPs are usual internet noise, the packets to know services are usually bots scanning for vulnerabilities or issuing messenger spam, so changing your IP won't stop that stuff.

It appears the for one reason or another, your present router is unable to deal with these common packets. You might try manually updating the firmware for your model. Be sure you have the firmware for the model and hardware version of your router. The model/version information should be on the serial number label.

Ultimately, though, I'll vote with NetFixer

, Woody79_00

, Its a Secret

on recommendations. As sivran

indicated, be prepared for possible issues when you change the router.

First, I'd dump the Belkin. It's rudimentary at best. No SYSLOG capability unless your router supports third party firmware. Many Linksys (and other) routers also don't have syslog ability unless you use third party firmware. When I contacted Linksys sales, they were very obtuse about syslog capabilities, and I had to quiz them very hard on syslog. After several minutes on hold while they tried to find someone knowledgeable, they finally admitted the models I referenced did not have syslog capability. The router NetFixer

uses is a fine piece of equipment, but if it's a bit out of your price range, see a list of popular routers that provide syslog at »www.linklogger.com/download.htm . Link Logger

is a frequent contributing member here. He does good work :) [/plug]

Second, on changing routers; After swapping out routers, I found I had to hard reset Time Warner's and Comcast's modems to get the internet connection to come up on those services. That may be true for other ISPs too. If that doesn't work for you, call the ISP, let them know you replaced the router and they will step you through or re-authorize your router for you.
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis]]> http://www.dslreports.com/forum/remark,22582714 Sat, 20 Jun 2009 11:43:18 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22582265 WeenieBoy : To get a new IP try changing the MAC address on your router. There should be an option to clone a mac. I would cut your real mac out and change the last character then restart your router. This should get you a new IP address. Worth a shot.]]> http://www.dslreports.com/forum/remark,22582265 Sat, 20 Jun 2009 09:02:27 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22578919 sivran : Pretty much.

quote:
I did want to ask about WAN ping blocking because ours is enabled and there have been two pingdeath attacks since my last post from Lemon Grove, California lol. Belkin says I'm protected against that but my internet sure did slow down to a crawl when it happened.

Responding to pings is a good thing. Your router also sounds pretty wimpy, try to get it replaced. You can get fairly decent deals on older model WRT-54G's (the older ones have more memory) on ebay. You could probably even find some with DD-WRT or Tomato already installed.
--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause...]]> http://www.dslreports.com/forum/remark,22578919 Fri, 19 Jun 2009 15:12:31 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22578735 aerinndis : Well I am using Comodo and Avira. I scan regularly. I like Avira because it's heuristic, although I have gotten a couple false positives from it while browsing neopets lol.

So all of that hoohaw in my security log doesn't mean much. It was knocking me offline but the last couple days it hasn't. Occasionally my internet really slows down but this could be due to the fact that just about everyone here uses RR because we only have two choices for internet in this town. I'm also using a LinkSys adapter to connect to his wireless and I think I'm losing some speed there. It is a USB device rather than a card.

I will talk to my friend about getting a different router because this one makes me feel like a duck in water. I can't really do much in the settings and it's frustrating. I can't open/close ports and it has no SPI.

I did want to ask about WAN ping blocking because ours is enabled and there have been two pingdeath attacks since my last post from Lemon Grove, California lol. Belkin says I'm protected against that but my internet sure did slow down to a crawl when it happened.]]> http://www.dslreports.com/forum/remark,22578735 Fri, 19 Jun 2009 14:41:09 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22578594 sivran : "Known protocols" means, quite frankly, very little. Any service can be run on any port. It's just a matter of whether one wants the service to be found by "normal" users--and scripts. My ssh does not run on 22. It used to, and every once in a while, some bot would come along and try to brute-force the password (always unsuccessfully). I changed the port it listened on, and now, no bots bang on its door.

quote:
When I looked it up it said, SSH Remote Login Protocol. This has me slightly worried.

Don't be. You don't have an SSH server running, and even if you did, the port is closed to the world, and short of some sort of exploit being possible on your router, or perhaps a malware infection on yours or the other guy's pc, will remain so no matter what.

quote:
all of my ports are stealth. Wouldn't we appear to be nonexistant to someone doing random sweeps?

No. It just means your router does not respond. "stealth" isn't all its cracked up to be by Gibson. In fact, there's no difference, safety-wise, between "stealth" and closed.

If you show full "stealth" or full closed on a port scan, then you have no services open to the world, and no need to worry about "attacks" on your router -- aside from the annoyance of them possibly knocking you offline.

All that said, that doesn't mean that your roomie's virus-ridden laptop can't do anything to your computer! I hope you have firewall and antivirus software running on your machine, as the router will not protect you from an attack from within, and your computer may have something exploitable running and visible locally.

quote:
Said by NetFixer
RR may be reverting to old habits.

Well, it may just be simple laziness. This area's seen nearly a half-dozen cable ISPs, and it's been this way forever. Changing MAC address results in connectivity loss, regardless of power-cycle dancing.

--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause...]]> http://www.dslreports.com/forum/remark,22578594 Fri, 19 Jun 2009 14:15:27 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22578371 aerinndis : Thanks guys. I don't know much about cloning. According to Shield's Up, all of my ports are stealth. Wouldn't we appear to be nonexistant to someone doing random sweeps? Just the past hour there are about 50 attacks from an IP in Columbia on port 50146. There is no known protocol for that one. There is one single attack from another IP on port 22. When I looked it up it said, SSH Remote Login Protocol. This has me slightly worried.

Yea I'm pretty sure there is something nasty on my friend's laptop. He mentioned before that he has a virus or something. I sort of have to yell at him and kick him in the butt to get him to do anything so this might be like pulling teeth fixing this problem. He mentioned that he keeps getting kicked off the internet and he gets the blue screen of death. There are no recovery discs, I never used a laptop before so I don't know anything about that. There is something about F10 recovery but as I said before, I will have to nag him to death to get him to do it. I don't know if that will fix anything now.

It doesn't seem like any of them are making it through the NAT firewall. Should I just wait for them to give up? We have nothing to steal......no credit cards, bad credit, I'd have to pay someone to steal my identity, then the student loan ppl can hound them to the gates of hell instead of me.]]> http://www.dslreports.com/forum/remark,22578371 Fri, 19 Jun 2009 13:38:41 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22570376 NetFixer :

said by sivran

:

Slight caveat to that - it may just flat out break the internet access. Last time I swapped routers, power-cycling did not restore access. I had to clone the MAC from the previous router.

Interesting. RR may be reverting to old habits. That was once a common practice among cable internet suppliers, and it is one reason that consumer grade router suppliers started allowing the router MAC address to be spoofed.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.]]> http://www.dslreports.com/forum/remark,22570376 Thu, 18 Jun 2009 02:11:37 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22570358 sivran :

said by NetFixer

:

Most cable internet suppliers will reuse the same IP for the same connecting device unless it is left disconnected for a very long time (like a week or more). You may be able to "clone" your PC's MAC address into the Belkin routers WAN, and that should force a new WAN IP to be assigned to you (after you make the MAC address change and power cycle the cable modem).

Slight caveat to that - it may just flat out break the internet access. Last time I swapped routers, power-cycling did not restore access. I had to clone the MAC from the previous router.
--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause...]]> http://www.dslreports.com/forum/remark,22570358 Thu, 18 Jun 2009 01:59:59 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22570336 NetFixer :

said by aerinndis

:

Would it be easier for him to call Time Warner and ask for a different IP? It's supposed to be dynamic but when we turn it off for an hour or so it picks up the same IP it had before. I thought it was supposed to flush out the old IP after being off a certain amount of time and just pick up a new one. Is the attack on the wireless router specifically or is it on his roadrunner modem? I can't really tell.

Most cable internet suppliers will reuse the same IP for the same connecting device unless it is left disconnected for a very long time (like a week or more). You may be able to "clone" your PC's MAC address into the Belkin routers WAN, and that should force a new WAN IP to be assigned to you (after you make the MAC address change and power cycle the cable modem).

If your landlord is doing P2P traffic (since you say that you are not doing that), that may be what is attracting what the Belkin router is interpreting as synflood traffic, and changing the WAN IP address will not help. The attacker(s) may also just be scanning a large IP subnet for routers and servers to use as slaves in a "reflection" synflood attack, and once again, changing the WAN IP address will not help. Without actually knowing anything about what your Belkin router is calling a synflood attack, any speculation would be just that.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.]]> http://www.dslreports.com/forum/remark,22570336 Thu, 18 Jun 2009 01:47:49 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22570326 Its a Secret : Use WPA2, it's backwards compatible to WPA, and far more secure. Use a 63 ASCII character PW from GRC: »https://www.grc.com/passwords.htm]]> http://www.dslreports.com/forum/remark,22570326 Thu, 18 Jun 2009 01:41:41 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22570317 aerinndis : I don't know what you mean by that but the DHCP client list only shows our computers on the network. If we were not WEP enabled then everybody in the "hood" would be feeding off of us, as you so eloquently referred to my neighborhood as.]]> http://www.dslreports.com/forum/remark,22570317 Thu, 18 Jun 2009 01:37:30 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22570302 Its a Secret : If you're using WEP, you're probably feeding the 'hood. WTF, man...]]> http://www.dslreports.com/forum/remark,22570302 Thu, 18 Jun 2009 01:30:33 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22570269 aerinndis : Excuse me, I didn't say I was stealing anything. He bought the router so I can have internet up here. He owns the house and I am living in the upstairs part of it. I developed a disability last year and am unable to work. Applying for Social Security is a long painful process. He knows I'm up here, he bought the router for that purpose, he gave me his WEP key.

Now moving on. Would it be easier for him to call Time Warner and ask for a different IP? It's supposed to be dynamic but when we turn it off for an hour or so it picks up the same IP it had before. I thought it was supposed to flush out the old IP after being off a certain amount of time and just pick up a new one. Is the attack on the wireless router specifically or is it on his roadrunner modem? I can't really tell.]]> http://www.dslreports.com/forum/remark,22570269 Thu, 18 Jun 2009 01:15:36 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22570250 Its a Secret : Yea, the height of audacity... :uhh:]]> http://www.dslreports.com/forum/remark,22570250 Thu, 18 Jun 2009 01:06:32 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22570204 Woody79_00 : oh your leeching of your neighbors connection?

nevermind my previous post then

go get your own connection man!]]> http://www.dslreports.com/forum/remark,22570204 Thu, 18 Jun 2009 00:48:21 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22570195 Woody79_00 : Yes i think what is happening is the routers NAT table is getting full and once the memory runs out it blocks the internet aka DOS as another poster mentioned.

In most cases, contacting the ISP of the offending IP is most likely usless unless your some big company. The IPs are most likely spoofed IP's anyways.

It is most likely those asian spammers from over in China and other places. My PfSense box gets "tons" of hits a day...many SQL exploit attempts and other garbage coming from there.

Luckily Snort with the latest definiions from Sourcefire bans their IP's left and right...its a constant battle.

I heard there was a vulnrability in "some" Router models from Belkin, Linksys and a few others that would allow a remote attack to bypass the router with specifically crafted packets...I am not sure what model of routers they are, but i do believe Steve Gibson at GRC.com has a webpage about it, the models listed, and even a test to see if your router is vulnerable.

Good luck to you, I would personally try getting a better router maybe...it seems they are intent in keeping you offline. If you have an old computer around, IPcop, PfSense, or Monowall could probably handle this for you. If that is too complicated for you, you could try buying an upgraded router model at a local store. one that has more memory and is on the higher end may better handle such an attack. ]]> http://www.dslreports.com/forum/remark,22570195 Thu, 18 Jun 2009 00:45:51 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22570189 Its a Secret : Whoa! You're leeching off your neighbor's router, and you did a wireless FW update?! Bad idea, as it could pooch the router.

He's the one getting hit, not you. Get your own connection, dude.
--
"In the future, that which is not mandatory will be illegal"
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better" - Anonymous]]> http://www.dslreports.com/forum/remark,22570189 Thu, 18 Jun 2009 00:44:51 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22570165 aerinndis : I just went to GRC and all of my ports are stealth, up to 1096 that is. I had to manually check the others because as you can see from my log, they are going for high numbered ones. There is no known protocol for port 43691, why are they probing it?

Yes I am using Comodo, the free version and also Avira for a/v protection. I can't speak for the guy downstairs....I don't think he uses anything and it's his router lol. If my ports are stealth and someone is syncflooding, does that mean my IP got picked up somewhere on a site and made it onto a hacker's list?

I did just update the firmware in hopes of stopping this or at least getting some extra features to use in the menu but there wasn't much else added that was useful. What makes me laugh is how Belkin's update button tells me there is no newer firmware but when I manually check their site I find a much newer one. I also read some other ppl had the same complaint. Their firmware updates also don't tell you what was added or changed which is also very irritating. I just think Belkin is a crappy company.]]> http://www.dslreports.com/forum/remark,22570165 Thu, 18 Jun 2009 00:36:25 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22570131 NetFixer : I suspect that you already know this, but your only likely remedy is to buy a real router.

The synflood packets by themselves do not usually take up much bandwidth. The likely reason that your internet connection is being affected is that your brain dead Belkin router is still making NAT table entries for each incoming synflood packet (even though it has already diagnosed them as synflood packets). When the available memory for NAT table entries is used up, your internet connection is then blocked. That is why this kind of probe is called a "denial of service" attack. I had to dump a D-Link DI-LB604 router for this same kind of behavior. My current Cisco/Linksys RV082 just laughs at DDoS attacks and keeps on trucking.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.]]> http://www.dslreports.com/forum/remark,22570131 Thu, 18 Jun 2009 00:27:19 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22570098 Its a Secret : GRC would give you a better clue as to what's up. As well, do you run a SW firewall? It would be good if you did. Comodo, Online Armour, and Zone Alarm are good.

Is there a firmware update for your router? You may want to change routers if all else fails.

fookin' typos!
--
"In the future, that which is not mandatory will be illegal"
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better" - Anonymous]]> http://www.dslreports.com/forum/remark,22570098 Thu, 18 Jun 2009 00:18:22 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22570087 aerinndis : I've been all through the menu, I can't find anything like enable logging. I'm using Belkin G Wireless F5D9230-4. There is a virtual server menu but it has a drop down list of programs to choose from, they all look like games. Then you pick the port you want to run the program through. It's not like my old Netgear router where I could open and close ports at will. This Belkin really has no features. My cousin said to enable stateful packet inspection but this router does not have that feature.

There are literally hundreds more of those syncflood attacks since I last posted. I can only assume they're not getting past the NAT firewall and these people will eventually give up. I went through all of the IP's and did a Whois lookup and emailed all of their ISP's. The ones coming from AT&T and some other one in LA stopped immediately, but new ones popped up to take their place. The Chinese ones did absolutely nothing. I feel like I'm being targeted. I know lots of people commonly scan ports but I've never seen anything like this.

That site you posted is interesting but their port checker only checks one at a time. With thousands of ports, that would be very time consuming. Wouldn't Steve Gibson's GRC Shield's Up be a better way of checking ports?]]> http://www.dslreports.com/forum/remark,22570087 Thu, 18 Jun 2009 00:12:46 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22569080 sivran : A port's default state is closed, and would only be open in the case of user (or malware) or UPNP intervention.

There's nothing like an "Enable Logging" checkbox?

What model router is it? A quick look at portforward.com shows Belkin routers tend to store port settings under "Virtual Servers" within the web ui.
--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause...]]> http://www.dslreports.com/forum/remark,22569080 Wed, 17 Jun 2009 20:33:18 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22563945 aerinndis : The router logs them automatically, I can't stop it. There is no function on Belkin to close ports so that's not a possibility. What is P2P? If you mean file sharing then no, I have never downloaded mp3's or anything else.]]> http://www.dslreports.com/forum/remark,22563945 Wed, 17 Jun 2009 00:56:18 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22556440 Its a Secret : First off, stop logging the attacks, it may help. Close your ports if any are open. Are you using p2p? If so, shut it down and see if it stops.

When this happens to me, they bounce and I don't miss a beat for uptime.]]> http://www.dslreports.com/forum/remark,22556440 Mon, 15 Jun 2009 20:08:50 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22556405 sashwa : Let's move you over to our Security Forum and see if you can get some help in there.

Good luck.

:)]]> http://www.dslreports.com/forum/remark,22556405 Mon, 15 Jun 2009 20:01:43 EDT Re: [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22556167 aerinndis : Ok I turned off the modem and unhooked everything and left it that way for an hour so it would release it's IP and get a new one when I turned it back on. It gave me the same exact IP and I have at least 100 more of these attacks. There's also a crapload of "get IP" and WAN disconnection messages......exactly every 11 seconds on the dot. Time Warner said it's not their problem since the attacking IP's aren't one of their customers.]]> http://www.dslreports.com/forum/remark,22556167 Mon, 15 Jun 2009 19:24:11 EDT [Help] Syncflood attack on Belkin http://www.dslreports.com/forum/remark,22548453 aerinndis : I have been getting hundreds of syncflood attacks the last three days and it's cutting me off of the internet, sometimes for hours. I have tried searching to find a fix for this problem and I don't understand the answers, I need it spelled out in layman's terms.

Belkin doesn't seem to have a whole lot in the way of features. My cousin said to enable stateful packet inspection but of course this Belkin crap doesn't have it. I tried updating the firmware as someone on MajorGeeks suggested saying that it worked. It didn't work and my whole firewall log got erased. I'm going to post here what is in my firewall log just since the router rebooted itself. The most predominant IP I looked up and it's Akron, Ohio but I was told it's probably a spoofed IP.

Found Syncflood attack from 76.244.157.122 in port 43691 => Sun Jun 14 04:09:22 2009

Found Syncflood attack from 61.147.107.56 in port 2967 => Sun Jun 14 04:09:22 2009

Found Syncflood attack from 76.244.157.122 in port 43691 => Sun Jun 14 04:19:11 2009

Found Syncflood attack from 76.244.157.122 in port 43691 => Sun Jun 14 04:19:41 2009

Found Syncflood attack from 76.244.157.122 in port 43691 => Sun Jun 14 04:27:25 2009

Found Syncflood attack from 76.244.157.122 in port 43691 => Sun Jun 14 04:27:55 2009

Found Syncflood attack from 125.65.112.217 in port 8000 => Sun Jun 14 04:32:02 2009

Found Syncflood attack from 125.65.112.217 in port 7212 => Sun Jun 14 04:32:02 2009

Found Syncflood attack from 125.65.112.217 in port 3128 => Sun Jun 14 04:32:02 2009

Found Syncflood attack from 76.244.157.122 in port 43691 => Sun Jun 14 04:33:34 2009

Found PortScanner attack from 64.22.131.8 in port 1774 => Sun Jun 14 04:38:12 2009

Found Syncflood attack from 76.244.157.122 in port 43691 => Sun Jun 14 04:42:20 2009

Found Syncflood attack from 76.244.157.122 in port 43691 => Sun Jun 14 04:48:31 2009

Found Syncflood attack from 76.244.157.122 in port 43691 => Sun Jun 14 04:49:01 2009

Found Syncflood attack from 76.244.157.122 in port 43691 => Sun Jun 14 04:58:49 2009

Found Syncflood attack from 76.244.157.122 in port 43691 => Sun Jun 14 05:10:11 2009

Found Syncflood attack from 61.160.216.187 in port 7212 => Sun Jun 14 05:13:16 2009

Found Syncflood attack from 61.160.216.187 in port 8000 => Sun Jun 14 05:13:16 2009

Found Syncflood attack from 76.244.157.122 in port 43691 => Sun Jun 14 05:21:00 2009

Found Syncflood attack from 76.244.157.122 in port 43691 => Sun Jun 14 05:21:30 2009

Found Syncflood attack from 76.244.157.122 in port 43691 => Sun Jun 14 05:29:45 2009

Is there something in the router settings I can do to stop this? I don't even know what any of it means, had to google syncflood lol. ]]> http://www.dslreports.com/forum/remark,22548453 Sun, 14 Jun 2009 05:40:01 EDT