dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
584

Ian1
Premium Member
join:2002-06-18
ON

Ian1

Premium Member

Potential Issue? Or Windows Network Misconfiguration?

I use a linux-based VPS with OpenVPN-AS running. I don't use it often, mainly only when I want my IP address to be US-based for things like Spotify. My system is Win 8.1.

On using it yesterday, I started getting a ton of warnings from Kaspersky Internet Security for SYN flood attacks. It was from IP addresses not from my VPN. It had been a while since I had connected to it, so not sure if Kaspersky settings changed with an update, or something else. Any ideas appreciated. I run fail2ban on the server, and don't see anything really odd in the logs.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran

Premium Member

I would wager it has more to do with Kaspersky than anything else.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Ian1

MVM

to Ian1
a) was it the linux VPS system or the Windows 8.1 system getting the synflood?

b) are either one of them behind a firewall or similar?

c) what IP address(es) was the synflood coming from? Do you recognize this IP address in any way?
Did you try running said IP address through the RIRs or whois?

d) what port(s) was said flood trying to hit? Do you have any services running on this port?

My 00000010bits

Regards

Ian1
Premium Member
join:2002-06-18
ON

Ian1

Premium Member

said by HELLFIRE:

a) was it the linux VPS system or the Windows 8.1 system getting the synflood?

b) are either one of them behind a firewall or similar?

c) what IP address(es) was the synflood coming from? Do you recognize this IP address in any way?
Did you try running said IP address through the RIRs or whois?

d) what port(s) was said flood trying to hit? Do you have any services running on this port?

My 00000010bits

Regards

Since I posted, I dug into the warnings a bit more. The "attack" was from Google IPs (Youtube?) or Amazon (which maybe where Spotify has servers?). In other words, where I likely was getting streaming media incoming from.

So I guess at this point I am wondering how to properly configure Kaspersky to deal with OpenVPN.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian

Premium Member


I haven't used the latest versions but gather the end result would still be the same.

1. Options on/off on "Scan encrypted connections" switch.
2. Set the VPN as a trusted application and in it's settings, uncheck "scan network traffic".
Not sure if you can set a domain as trusted for the application or not.

I would have to install and see where these features are now to be exacting, however it always came down to the SSL scanning or the network scanning over the application that was the root to such alerts.

Well, at least if it was not a definition update that caused it.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Ian1

MVM

to Ian1
said by Ian1:

Since I posted, I dug into the warnings a bit more.

You got the log / error that you're willing to post up? I'm rather curious now...

Regards

Ian1
Premium Member
join:2002-06-18
ON

Ian1

Premium Member

said by HELLFIRE:

You got the log / error that you're willing to post up? I'm rather curious now...

Unfortunately not. Seems that unless you save it to a report, it clears the details.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian

Premium Member


Details logs are turned off by default but can be activated.

Ian1
Premium Member
join:2002-06-18
ON

Ian1 to HELLFIRE

Premium Member

to HELLFIRE
Tried just a simple Youtube video while connected to Openvpn, and got this.


HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Ian1

MVM

to Ian1
Just for gits and shiggles, started looking up those IP addresses and ports

173.194.123.0:40
 
-- US/Google:UNASSIGNED

173.194.123.3:136
 
-- US/Google:UNKNOWN

173.194.130.8:1308
 
-- US/Google:UNKNOWN

86.167.67.213:40
 
-- EMEA/BT Central:UNKNOWN

123.2.86.101:157
 
-- APAC/Layer 2 Broadband:UNKNOWN

2.98.77.182:1308
 
-- EMEA/TalkTalk:UNKNOWN

...question, does this happen when you do YOUTUBE but without the VPN? My speculation is
it's just out of state packets coming back while you're on youtube that Kaspersky reads
as "hmm, must be X" generic answer.

My 00000010bits

Regards

Ian1
Premium Member
join:2002-06-18
ON

Ian1

Premium Member

said by HELLFIRE:

...question, does this happen when you do YOUTUBE but without the VPN?

Nope. Don't get that sort of thing normally.