kernel: Intrusion->[SYN]

Jaffa. · 27 April 2009 at 4:31PM

My internet just went down for about 10 seconds so I thought I would have a look in the routers log to see what happened... I have about 30 entries saying:

kernel: Intrusion->[SYN]IN=ppp_0_0_38_1 OUT= MAC= SRC=212.116.68.118 DST=92.2.21.79 LEN=64 TOS=0x00 PREC=0x00 TTL=53 ID=26580 DF PROTO=TCP SPT=50564 DPT=30577 WINDOW=65535 RES=0x00 SYN URGP=0

What the hell :mad: this is a dos attack right? What does all the other stuff mean like LEN?

[Deleted User] · 27 April 2009 at 4:53PM

These might help:

http://www.skyuser.co.uk/forum/sky-router/20360-router-intrusion.html
http://www.skyuser.co.uk/forum/sky-broadband-help/23976-adsl-link-down.html
http://broadbandforum.in/bsnl-broadband/38328-frequently-loosing-adsl-link/

If I were you I'd reset the router, update the firmware, setup / change the WPA password then finally change the defaul admin password for the router's logon page.

Duk · 27 April 2009 at 5:07PM

Is theory a DDOS attack is just a bunch of SYN requests to a host without an ACK being sent back. But if its only 30 log entries i wouldnt worry, a usual DDOS attack will send tens of thousands of SYN requests.

No doubt this is prob just your router mistaking something. I wouldnt worry about it.

Jaffa. · 27 April 2009 at 5:11PM

Thanks for them links, the last one didnt work though

So basically it attempted, but didn't succeed. Blocked it, still the internet went down...

The routers got a random WPA2 password and admin password anyway, firmware is all up-to-date. Theres some that say kernel: Intrusion->[PING] too...

fwor · 27 April 2009 at 5:12PM

It's true that 30 entries seems too low for a DDOS attempt, unless the router fell over and was rebooting while the rest came in. It does seem to have some of the indications of a SYN attack - the source and destination ports seem to have been chosen at random and don't correspond to any well-known services.

The other stuff is just describing the parameters of the packet, such as its LENgth, source and destination ports, etc. None of it is particularly useful - one of the characteristics of a SYN attack is that the source IP is always faked, so you've no way of knowing where it came from.

If you're not on a static IP address, it may be worth forcing a different IP address. How you do that appears to vary from ISP to ISP, but turning off your router overnight will often do it.

If you're on a static IP address and you keep getting similar outages you may need to contact your ISP to get it changed.

Jaffa. · 27 April 2009 at 5:22PM

No my ip address is non static and it's now changed (turning the router on and off seems to have done the trick)

I guess this is good as any to ask this. In the router theres a Firewall setting and theres loads of options to tick:

Enable DOS and Portscan Protection :
SYN attack : FIN/URG/PSH attack :
Ping Attack : Xmas Tree attack :
TCP reset attack :
Null scanning attack :
Ping of Death attack :
SYN/RST SYN/FIN attack :

They should all be ticked right? Or does ticking them make an exception to the rule because without the top one ticked you can't tick any of the others...

The routers a Dlink DSL-2640B

Duk · 27 April 2009 at 5:30PM

It could be something as simple as your ISP changing your DHCP lease, that would also explain why your internet went down.

GunJack · 27 April 2009 at 7:10PM

I've got a 2640, good little router...switch your firewall on and tick SYN attack protection, should stop it happening again

kernel: Intrusion->[SYN]

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free