Broadband Tech > Security > Security > [Help] Syncflood attack on Belkin

reply to sivran

Re: [Help] Syncflood attack on Belkin

GRC would give you a better clue as to what's up. As well, do you run a SW firewall? It would be good if you did. Comodo, Online Armour, and Zone Alarm are good.

Is there a firmware update for your router? You may want to change routers if all else fails.

fookin' typos!
--
"In the future, that which is not mandatory will be illegal"
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better" - Anonymous

I just went to GRC and all of my ports are stealth, up to 1096 that is. I had to manually check the others because as you can see from my log, they are going for high numbered ones. There is no known protocol for port 43691, why are they probing it?

Yes I am using Comodo, the free version and also Avira for a/v protection. I can't speak for the guy downstairs....I don't think he uses anything and it's his router lol. If my ports are stealth and someone is syncflooding, does that mean my IP got picked up somewhere on a site and made it onto a hacker's list?

I did just update the firmware in hopes of stopping this or at least getting some extra features to use in the menu but there wasn't much else added that was useful. What makes me laugh is how Belkin's update button tells me there is no newer firmware but when I manually check their site I find a much newer one. I also read some other ppl had the same complaint. Their firmware updates also don't tell you what was added or changed which is also very irritating. I just think Belkin is a crappy company.

Whoa! You're leeching off your neighbor's router, and you did a wireless FW update?! Bad idea, as it could pooch the router.

He's the one getting hit, not you. Get your own connection, dude.
--
"In the future, that which is not mandatory will be illegal"
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better" - Anonymous

reply to aerinndis
Yes i think what is happening is the routers NAT table is getting full and once the memory runs out it blocks the internet aka DOS as another poster mentioned.

In most cases, contacting the ISP of the offending IP is most likely usless unless your some big company. The IPs are most likely spoofed IP's anyways.

It is most likely those asian spammers from over in China and other places. My PfSense box gets "tons" of hits a day...many SQL exploit attempts and other garbage coming from there.

Luckily Snort with the latest definiions from Sourcefire bans their IP's left and right...its a constant battle.

I heard there was a vulnrability in "some" Router models from Belkin, Linksys and a few others that would allow a remote attack to bypass the router with specifically crafted packets...I am not sure what model of routers they are, but i do believe Steve Gibson at GRC.com has a webpage about it, the models listed, and even a test to see if your router is vulnerable.

Good luck to you, I would personally try getting a better router maybe...it seems they are intent in keeping you offline. If you have an old computer around, IPcop, PfSense, or Monowall could probably handle this for you. If that is too complicated for you, you could try buying an upgraded router model at a local store. one that has more memory and is on the higher end may better handle such an attack.

reply to aerinndis
oh your leeching of your neighbors connection?

nevermind my previous post then

go get your own connection man!

Yea, the height of audacity...

Excuse me, I didn't say I was stealing anything. He bought the router so I can have internet up here. He owns the house and I am living in the upstairs part of it. I developed a disability last year and am unable to work. Applying for Social Security is a long painful process. He knows I'm up here, he bought the router for that purpose, he gave me his WEP key.

Now moving on. Would it be easier for him to call Time Warner and ask for a different IP? It's supposed to be dynamic but when we turn it off for an hour or so it picks up the same IP it had before. I thought it was supposed to flush out the old IP after being off a certain amount of time and just pick up a new one. Is the attack on the wireless router specifically or is it on his roadrunner modem? I can't really tell.

If you're using WEP, you're probably feeding the 'hood. WTF, man...

I don't know what you mean by that but the DHCP client list only shows our computers on the network. If we were not WEP enabled then everybody in the "hood" would be feeding off of us, as you so eloquently referred to my neighborhood as.

Use WPA2, it's backwards compatible to WPA, and far more secure. Use a 63 ASCII character PW from GRC: »www.grc.com/passwords.htm

reply to aerinndis

reply to sivran
Thanks guys. I don't know much about cloning. According to Shield's Up, all of my ports are stealth. Wouldn't we appear to be nonexistant to someone doing random sweeps? Just the past hour there are about 50 attacks from an IP in Columbia on port 50146. There is no known protocol for that one. There is one single attack from another IP on port 22. When I looked it up it said, SSH Remote Login Protocol. This has me slightly worried.

Yea I'm pretty sure there is something nasty on my friend's laptop. He mentioned before that he has a virus or something. I sort of have to yell at him and kick him in the butt to get him to do anything so this might be like pulling teeth fixing this problem. He mentioned that he keeps getting kicked off the internet and he gets the blue screen of death. There are no recovery discs, I never used a laptop before so I don't know anything about that. There is something about F10 recovery but as I said before, I will have to nag him to death to get him to do it. I don't know if that will fix anything now.

It doesn't seem like any of them are making it through the NAT firewall. Should I just wait for them to give up? We have nothing to steal......no credit cards, bad credit, I'd have to pay someone to steal my identity, then the student loan ppl can hound them to the gates of hell instead of me.

"Known protocols" means, quite frankly, very little. Any service can be run on any port. It's just a matter of whether one wants the service to be found by "normal" users--and scripts. My ssh does not run on 22. It used to, and every once in a while, some bot would come along and try to brute-force the password (always unsuccessfully). I changed the port it listened on, and now, no bots bang on its door.

quote:

---

When I looked it up it said, SSH Remote Login Protocol. This has me slightly worried.

---

quote:

---

all of my ports are stealth. Wouldn't we appear to be nonexistant to someone doing random sweeps?

---

quote:

---

Said by NetFixer
RR may be reverting to old habits.

---

Well I am using Comodo and Avira. I scan regularly. I like Avira because it's heuristic, although I have gotten a couple false positives from it while browsing neopets lol.

So all of that hoohaw in my security log doesn't mean much. It was knocking me offline but the last couple days it hasn't. Occasionally my internet really slows down but this could be due to the fact that just about everyone here uses RR because we only have two choices for internet in this town. I'm also using a LinkSys adapter to connect to his wireless and I think I'm losing some speed there. It is a USB device rather than a card.

I will talk to my friend about getting a different router because this one makes me feel like a duck in water. I can't really do much in the settings and it's frustrating. I can't open/close ports and it has no SPI.

I did want to ask about WAN ping blocking because ours is enabled and there have been two pingdeath attacks since my last post from Lemon Grove, California lol. Belkin says I'm protected against that but my internet sure did slow down to a crawl when it happened.

Pretty much.

quote:

---

I did want to ask about WAN ping blocking because ours is enabled and there have been two pingdeath attacks since my last post from Lemon Grove, California lol. Belkin says I'm protected against that but my internet sure did slow down to a crawl when it happened.

---

reply to aerinndis
To get a new IP try changing the MAC address on your router. There should be an option to clone a mac. I would cut your real mac out and change the last character then restart your router. This should get you a new IP address. Worth a shot.