Re: FN-FORUM: Router Woes

date posted 13th August 2003 16:36

Mike Adamson [EMAIL REMOVED] wrote:

> **SYN Flood to Host** 192.168.2.102, 2274->> 195.*.*.*, 80
>
> The first IP is my client machine, the second I have edited, but I know
> who they are, there are other entries the same as the 2 nd one above with
> different port numbers (if thats what 2274 is) a different IP addresses
>
> Should I be concerened?

A SYN flood is a type of DoS (Denial of Service) attack.

When you establish a TCP connection a three-way hand shake is performed,
the originator sends a SYN, the receiver sends a SYN-ACK, and then there
is another ACK in response to acknowledge the SYN-ACK (if I remember
correctly).

The attack works by sending lots of SYNs to the remote host without doing
any ACK, the remote host has to wait a period of time for the ACK before
giving up and discarding the SYN. So, if you send lots of SYNs you can
fill out the resource table/buffers of the receiving host until it can't
accept any more connections. I expect because the connection is never
completed you can easy forge and randomise the source of the SYNs as well.

I suspect you made a lot of genuine connections, but maybe a high number
in a short time frame so your router is flagging a high rate of SYNs in
genuine TCP connections.

> How can I rectify the NTP time thing?

Router probably needs the IP address of an NTP time server that it
can sync with, see if your ISP provides one, or check out the list at
www.ntp.org for a stratum 2 time server that is open to people in Europe.

-Paul-