Ian1 Premium Member join:2002-06-18 ON |
Ian1
Premium Member
2014-Oct-9 3:14 pm
Potential Issue? Or Windows Network Misconfiguration?I use a linux-based VPS with OpenVPN-AS running. I don't use it often, mainly only when I want my IP address to be US-based for things like Spotify. My system is Win 8.1.
On using it yesterday, I started getting a ton of warnings from Kaspersky Internet Security for SYN flood attacks. It was from IP addresses not from my VPN. It had been a while since I had connected to it, so not sure if Kaspersky settings changed with an update, or something else. Any ideas appreciated. I run fail2ban on the server, and don't see anything really odd in the logs. |
|
|
sivranVive Vivaldi Premium Member join:2003-09-15 Irving, TX |
sivran
Premium Member
2014-Oct-10 7:15 pm
I would wager it has more to do with Kaspersky than anything else. |
|
|
to Ian1
a) was it the linux VPS system or the Windows 8.1 system getting the synflood?
b) are either one of them behind a firewall or similar?
c) what IP address(es) was the synflood coming from? Do you recognize this IP address in any way? Did you try running said IP address through the RIRs or whois?
d) what port(s) was said flood trying to hit? Do you have any services running on this port?
My 00000010bits
Regards |
|
Ian1 Premium Member join:2002-06-18 ON |
Ian1
Premium Member
2014-Oct-10 9:25 pm
said by HELLFIRE:a) was it the linux VPS system or the Windows 8.1 system getting the synflood?
b) are either one of them behind a firewall or similar?
c) what IP address(es) was the synflood coming from? Do you recognize this IP address in any way? Did you try running said IP address through the RIRs or whois?
d) what port(s) was said flood trying to hit? Do you have any services running on this port?
My 00000010bits
Regards Since I posted, I dug into the warnings a bit more. The "attack" was from Google IPs (Youtube?) or Amazon (which maybe where Spotify has servers?). In other words, where I likely was getting streaming media incoming from. So I guess at this point I am wondering how to properly configure Kaspersky to deal with OpenVPN. |
|
norwegian Premium Member join:2005-02-15 Outback |
I haven't used the latest versions but gather the end result would still be the same.
1. Options on/off on "Scan encrypted connections" switch. 2. Set the VPN as a trusted application and in it's settings, uncheck "scan network traffic". Not sure if you can set a domain as trusted for the application or not.
I would have to install and see where these features are now to be exacting, however it always came down to the SSL scanning or the network scanning over the application that was the root to such alerts.
Well, at least if it was not a definition update that caused it.
|
|
|
to Ian1
said by Ian1:Since I posted, I dug into the warnings a bit more. You got the log / error that you're willing to post up? I'm rather curious now... Regards |
|
Ian1 Premium Member join:2002-06-18 ON |
Ian1
Premium Member
2014-Oct-12 6:43 am
said by HELLFIRE:You got the log / error that you're willing to post up? I'm rather curious now... Unfortunately not. Seems that unless you save it to a report, it clears the details. |
|
norwegian Premium Member join:2005-02-15 Outback |
Details logs are turned off by default but can be activated.
|
|
Ian1 Premium Member join:2002-06-18 ON |
to HELLFIRE
Tried just a simple Youtube video while connected to Openvpn, and got this.
|
|
|
to Ian1
Just for gits and shiggles, started looking up those IP addresses and ports 173.194.123.0:40
-- US/Google:UNASSIGNED 173.194.123.3:136
-- US/Google:UNKNOWN 173.194.130.8:1308
-- US/Google:UNKNOWN 86.167.67.213:40
-- EMEA/BT Central:UNKNOWN 123.2.86.101:157
-- APAC/Layer 2 Broadband:UNKNOWN 2.98.77.182:1308
-- EMEA/TalkTalk:UNKNOWN ...question, does this happen when you do YOUTUBE but without the VPN? My speculation is it's just out of state packets coming back while you're on youtube that Kaspersky reads as "hmm, must be X" generic answer. My 00000010bits Regards |
|
Ian1 Premium Member join:2002-06-18 ON |
Ian1
Premium Member
2014-Oct-12 1:38 pm
said by HELLFIRE:...question, does this happen when you do YOUTUBE but without the VPN? Nope. Don't get that sort of thing normally. |
|