| [CA] SYN Floods Help It there a way to stop these SYN Floods? One of them says it came from internal Lan but was also using the Cox DNS server. How and why is this happening? What can I do to stop it since I seem to lose all connectivity when this occurs.
Here is the log entries:
Description Count Last Occurence Target Source
TCP- or UDP-based Port Scan 2 Wed Feb 08 11:57:00 2012 68.8.241.230:61819 68.105.28.12:53
SYN Flood 3 Wed Feb 08 11:57:08 2012 192.168.0.5:38473 174.76.227.118:80
TCP- or UDP-based Port Scan 1 Wed Feb 08 12:10:20 2012 68.8.241.230:50554 68.105.28.12:53
SYN Flood 13 Wed Feb 08 13:28:14 2012 50.19.10.24:80 192.168.0.5:43995
LAN-side UDP Flood 12 Wed Feb 08 13:56:11 2012 192.168.0.255:137 192.168.0.7:137
TCP- or UDP-based Port Scan 4 Wed Feb 08 17:04:02 2012 68.8.241.230:45356 68.105.28.12:53
SYN Flood 1 Wed Feb 08 17:29:43 2012 67.148.220.210:80 192.168.0.5:47287
TCP- or UDP-based Port Scan 2 Wed Feb 08 21:12:51 2012 68.8.241.230:18557 68.105.28.12:53
SYN Flood 3 Wed Feb 08 21:13:02 2012 192.168.0.5:45109 64.94.107.32:80
TCP- or UDP-based Port Scan 3 Wed Feb 08 22:14:33 2012 68.8.241.230:1051 68.105.28.12:53
Illegal TCP header 1 Wed Feb 08 23:27:06 2012 207.229.75.210:0 192.168.0.19:0
IP packet w/MC or BC SRC addr 1 Wed Feb 08 23:35:52 2012 192.168.0.19:53109 107.20.132.255:80
Illegal TCP header 1 Wed Feb 08 23:43:11 2012 208.93.90.231:0 192.168.0.19:0
TCP- or UDP-based Port Scan 1 Wed Feb 08 23:54:22 2012 68.8.241.230:41841 68.105.28.12:53
SYN Flood 1 Wed Feb 08 23:55:06 2012 192.168.0.19:54671 207.46.193.176:80
IP packet w/MC or BC SRC addr 1 Wed Feb 08 23:55:52 2012 192.168.0.19:54750 107.20.132.255:80
Illegal TCP header 2 Thu Feb 09 00:00:46 2012 72.21.214.128:0 192.168.0.19:0
TCP- or UDP-based Port Scan 4 Thu Feb 09 01:21:43 2012 68.8.241.230:63113 68.105.28.12:53
SYN Flood 5 Thu Feb 09 01:22:34 2012 68.232.37.39:80 192.168.0.52:49296
TCP- or UDP-based Port Scan 2 Thu Feb 09 01:31:09 2012 68.8.241.230:64413 68.105.28.12:53
SYN Flood 25 Thu Feb 09 02:18:20 2012 192.168.0.6:50734 50.97.209.196:80
LAN-side UDP Flood 3 Thu Feb 09 02:55:41 2012 192.168.0.255:137 192.168.0.52:137
SYN Flood 1 Thu Feb 09 02:56:45 2012 192.168.0.6:38494 72.21.81.253:80
TCP- or UDP-based Port Scan 1 Thu Feb 09 03:07:53 2012 68.8.241.230:32318 68.105.28.12:53
SYN Flood 4 Thu Feb 09 03:10:09 2012 192.168.0.5:53829 23.57.68.98:80
LAN-side UDP Flood 2 Thu Feb 09 03:55:21 2012 169.254.255.255:137 169.254.8.11:137
LAN-side SYN Flood 3 Thu Feb 09 04:39:22 2012 192.168.0.1:80 169.254.8.11:50549
LAN-side UDP Flood 1 Thu Feb 09 05:22:02 2012 224.0.0.252:5355 192.168.0.52:49498
TCP- or UDP-based Port Scan 2 Thu Feb 09 06:51:16 2012 68.8.241.230:34855 68.105.28.12:53
LAN-side UDP Flood 6 Thu Feb 09 08:42:03 2012 68.105.28.12:53 192.168.0.52:61550
I am using the SBG 6580
Thanks!! |
|
bdnhsv
join:2012-01-20
Huntsville, AL | Do you have a firewall deployed at the edge of your network? |
|
 Irish SharkPlay Like A Champion TodayPremium,MVM
join:2000-07-29
Las Vegas, NV
kudos:3 | reply to hereinsd
There are some remedies available. Here is one:
»www.symantec.com/connect/article···-attacks
This is the classic SYN Flood remedy. Other approaches are available.
--
"You can observe a lot by watching". Yogi Berra |
|
| reply to bdnhsv
said by bdnhsv:Do you have a firewall deployed at the edge of your network?
I am using the built in firewall on the Motorola SBG 6580. I have the following checked to enable:
Filter Proxy
Filter Cookies
Block Fragmented IP Packets
Port Scan Detection
IP Flood Detection
Firewall Protection |
|
| reply to hereinsd
That's the firewall being overzealous.. I would disable the firewall on the modem. Do you have an additional wifi ap / router? If so, disable the firewall on the modem , set it to bridge mode and use the firewall / nat setup from your ap/router.. |
|
|
|
