SYN Flood showing up on Firewall log

lozcart · Sep 03, 2009, 13:12:09

The last couple of days my Router Firewall log is showing hundreds of SYN Flood attacks. Sometimes as many as five every second!

Is this anything to worry about as I've not noticed this before and don't actually know what a "SYN Flood" is. Is there anyway I can stop the attack? Below is an example from the log.

**SYN Flood** 192.168.2.2, 60620->> 92.123.154.26, 80 (from ATM1 Outbound)

Rik · Sep 03, 2009, 13:20:39

This might help:

http://en.wikipedia.org/wiki/SYN_flood

somanyholes · Sep 03, 2009, 14:03:50

the destination on reverse dns is a92-123-154-26.deploy.akamaitechnologies.com.
The syn flood is just a lot of sync packets being sent.
How often are you seeing this occur?

somanyholes · Sep 03, 2009, 14:08:50

I have a feeling that this occurs when you are using some form of streaming media. i.e streaming video, or audio, radio possibly?

another quick note. bbc Iplayer uses akamai technologies

for 92.123.154.26

80/tcp open http AkamaiGHost (Akamai's HTTP Acceleration/Mirror service)

lozcart · Sep 03, 2009, 15:20:34

Thanks Rik for the information, I must admit I didn't understand all of it, does it mean I'm at threat or targeted?

Somanyholes, it seems to happen continually whether I'm online with a computer or not, the router is connected 24/7. The address I'm attacked from changes for each individual attack, the one I gave is one of hundreds that the log lists.

I'm not using any streaming media but my daughter uses Window live, but the attacks continue even when her computer is disconnected.

Do you think it make any difference if I did a disconnect/reconnect of the router?

I also updated my computers to Snow Leopard at the weekend would that have any connection with the attacks?

Rik · Sep 03, 2009, 15:37:17

I don't think you're particularly at risk, the firewall is catching the traffic and warning you about it. It might be worth checking what sites your daughter has used, as the IP address may have been picked up from one of those. Re-booting the router shouldn't make a difference as you have a static iP address. I also don't think it's related to SL, I just suspect that your IP address has been picked up by a site or is being targeted randomly. Does your router respond to pings? If so, try turning that off.

somanyholes · Sep 03, 2009, 17:28:20

The traffic is being initiated by a box on your network in this instance 192.168.2.2. So the syn flood is actually coming from your network, not the other way around. How many machines are their on your network. Are you able to provide other ip's that show up on the syn flood attack? Might narrow it down a bit more. It's a pain trying to troubleshoot these things remotely when you don't have access to the machine in question. More ip's might point us in the right direction....

lozcart · Sep 03, 2009, 17:58:49

I,ve three computers (two Macs, one windows), iPhone and iPod Touch connected.

This is the latest list

09/03/2009 17:54:36   **SYN Flood** 192.168.2.4, 51049->> 207.46.113.78, 443 (from ATM1 Outbound)
09/03/2009 17:54:36   **SYN Flood** 192.168.2.4, 51048->> 64.4.16.75, 1863 (from ATM1 Outbound)
09/03/2009 17:54:35   **SYN Flood** 192.168.2.4, 51045->> 74.125.242.171, 80 (from ATM1 Outbound)
09/03/2009 17:54:35   **SYN Flood** 192.168.2.4, 51043->> 213.199.174.199, 80 (from ATM1 Outbound)
09/03/2009 17:54:35   **SYN Flood** 192.168.2.6, 53730->> 64.4.16.75, 1863 (from ATM1 Outbound)
09/03/2009 17:54:35   **SYN Flood** 192.168.2.4, 51041->> 64.4.33.7, 80 (from ATM1 Outbound)
09/03/2009 17:54:35   **SYN Flood** 192.168.2.4, 51039->> 213.199.186.26, 80 (from ATM1 Outbound)
09/03/2009 17:54:35   **SYN Flood** 192.168.2.4, 51035->> 87.248.212.72, 80 (from ATM1 Outbound)
09/03/2009 17:54:35   **SYN Flood** 192.168.2.4, 51033->> 92.123.154.27, 80 (from ATM1 Outbound)
09/03/2009 17:54:35   **SYN Flood** 192.168.2.4, 51031->> 207.46.113.78, 443 (from ATM1 Outbound)
09/03/2009 17:54:35   **SYN Flood** 192.168.2.4, 51030->> 213.199.162.86, 80 (from ATM1 Outbound)
09/03/2009 17:54:35   **SYN Flood** 192.168.2.4, 51029->> 80.168.100.101, 80 (from ATM1 Outbound)
09/03/2009 17:54:35   **SYN Flood** 192.168.2.4, 51026->> 213.199.164.73, 80 (from ATM1 Outbound)
09/03/2009 17:54:35   **SYN Flood** 192.168.2.4, 51023->> 213.199.141.141, 80 (from ATM1 Outbound)
09/03/2009 17:54:33   **SYN Flood** 192.168.2.4, 51019->> 207.46.28.81, 80 (from ATM1 Outbound)
09/03/2009 17:54:29   **SYN Flood** 192.168.2.4, 51016->> 65.54.172.102, 1863 (from ATM1 Outbound)
09/03/2009 17:54:29   **SYN Flood** 192.168.2.4, 51015->> 64.4.9.254, 1863 (from ATM1 Outbound)
09/03/2009 17:54:28   **SYN Flood** 192.168.2.4, 51013->> 65.54.186.19, 80 (from ATM1 Outbound)
09/03/2009 17:54:21   **SYN Flood** 192.168.2.9, 54625->> 69.63.186.16, 80 (from ATM1 Outbound)
09/03/2009 17:54:15   **SYN Flood** 192.168.2.6, 53729->> 207.46.26.122, 1863 (from ATM1 Outbound)
09/03/2009 17:54:12   **SYN Flood** 192.168.2.9, 54624->> 88.221.26.16, 80 (from ATM1 Outbound)

Rik · Sep 03, 2009, 18:00:52

So is you man on this. All I can think to suggest is to disconnect all but one machine and see if the problem stops. If it does, re-connect devices one at a time until you find the guilty party.

somanyholes · Sep 03, 2009, 18:49:27

Ok. I have a look at most of those ip's and they are for for normal traffic use. A lot of them tie in to either msn/windowslive messenger. Others are things like facebook, microsoft etc

As there are supposed syn floods from multiple machines on your network to fairly standard destinations, from multiple operating systems, I think it highly unlikely that these syn floods are being caused by anything bad on your network, so you can breath a sigh of relief here.

Basically your router in my opinion is being naughty in the reporting of these supposed syn floods. I'm not sure what make/model you are using but it's being far to pessimistic in it's logging approach to these syn floods, in fact I wouldn't call them syn floods at all, however the router seems to disagree

From the info provided, I don't think the floods are being blocked, just logged.

So the router is either seeing every syn packet as a flood. Or you have a congested internet connection/ bad line which is causing multiple syn's to be sent out. I pretty sure it's the first one. If these alerts are really bugging you in might be worth looking at the manufacturer's website / forums to see if there is a firmware upgrade to resolve this, or information as to why they seem to log everything as a flood.

lozcart · Sep 03, 2009, 19:54:20

Thanks ever so much for all your help and advice in sorting this out.

Somanyholes you were absolutely right, the router was seeing every syn packet as a flood. I restarted the router and everything is back to normal, it just got must have got corrupted and started logging every syn, it had been up and running for the last 45 days or so, I guess it just needed a rest

Thanks again for your help.

somanyholes · Sep 03, 2009, 20:34:17

Glad your sorted.

Hopefully it won't come up again, however it more than likely will at some point.