Comments on: Answer as you would to an eight year old--no, let's say five year old child.

Question: Answer as you would to an eight year old--no, let's say five year old child.

meese — Sun, 09 Oct 2011 20:58:00 -0800

SYN floods and LAN-side SYN floods? Please help me understand what my wireless router is telling me.

First off, I have no idea what I'm talking about. This is the main thing I need help with.

I moved into a new apartment, in a new part of the country, just over a month ago. I got cable internet through Comcast. I used a wireless router I've had for several years to set up a wireless network -- it's a linksys, if that matters. Of course, I made it password-protected and so forth.

So, anyway, on the information page about my router, there is a link called "Administration." This page has a list of "Logs." And that list contains the words "SYN flood" and "LAN-side SYN flood" many times over. It also lists this information: "Count" (?), date and time, target, and source. I can tell you more about what this list says, but, as is, I have no idea whether any of it is important.

Here's what I understand about SYN floods: they're bad things. A hacker attempts to flood your system with requests, which then overwhelms your system so much that they can then get access to stuff that is supposed to be protected.

Here's what I really would like to know: should I be scared to see this stuff in my log? Is there anything in particular I should do? Is my wireless network somehow unsecure? Is this the sort of thing I should be contacting Comcast about? (And, if so, what do I say to them?)

What may be a contributing factor is that I downloaded Dropbox not too long after I set up my network. From Google, it appears that sometimes Dropbox can make it look as if you are receiving SYN floods? But I couldn't really understand that.

I'm sorry this question is so lame. I've been trying to Google information, but I can't understand what Google brings up.

By: chrisfromthelc

chrisfromthelc — Sun, 09 Oct 2011 21:21:22 -0800

Can you paste in a few of the lines from the log?

What make/model is your router?

Is Dropbox on your machine updated to the newest version? It looks like it's possible there was an issue with an old version, but that was over a year ago.

Most modern routers have protection against SYN floods, so, it could just be logging that it's blocked attempts. However, having LAN-side attacks is something to be concerned about.

By: meese

meese — Sun, 09 Oct 2011 21:37:44 -0800

Here are a few lines (starting with the most recent).

Description: SYN flood
Count: 84
Last Occurrence: SUN OCT 09 20:23:49 2011
Target: 192.168.0.12:61838
Source: 205.203.140.1:80

Description: LAN-side SYN Flood
Count: 18
Last Occurrence: SAT OCT 08 20:41:16 2011
Target: 206.33.42.126:80
Source: 192.168.0.11:55060

I have a Linksys Wireless Gateway router. Dropbox is up-to-date, according to everything I see.

By: free hugs

free hugs — Sun, 09 Oct 2011 21:44:39 -0800

How I would explain SYN floods to a five year old child:

A "SYN" is when one computer says "hi" to another computer. Most of the time when computers talk, they have a little introduction they do before they talk, like:

Computer1: "Hey there"
Computer2: "Oh hi, do you want to talk?"
Computer1: "Yes, here is what I want to talk about:"

A "SYN Flood" is when a hacker sends a bunch of fake messages that make Computer2 think it's seeing about 1,000 computers saying "Hey there". It is really seeing one or two computers pretending to be 1,000 computers.

Computer2 can only pay attention to about 10 things at a time, and it is completely overwhelmed now. As a result, any new computers that say "Hey there" won't get a response because Computer2 is so confused.

This usually happens when a hacker wants a web site to be unavailable. It's a clever way to tie up a server's resources using only a few client computers to seem like many computers.

By: zsazsa

zsazsa — Sun, 09 Oct 2011 21:56:56 -0800

205.203.140.1 hosts wsj.com.
206.33.42.126 is an image server for photobucket.com.

Your router is generating false alarms. Its flood detection algorithm is probably not used to the flurry of requests that go back and forth between a browser and web server these days.

By: Ad hominem

Ad hominem — Sun, 09 Oct 2011 22:01:07 -0800

Take a look at the syn attack from 205.203.140.1:80 it's target is an internal IP address on your lan, which is not routed.

If someone were attacking you the destination would be your external IP address.

By: meese

meese — Sun, 09 Oct 2011 22:01:24 -0800

Thanks, zsazsa! That's really helpful. (I tried looking up the IPs, a few times.. Turns out, I don't know how to do that, either.)

Does this mean that my router is old enough that I need to replace it? Or is it still able to handle all its tasks in a safe way, even if it is a little daft these days?

By: zsazsa

zsazsa — Sun, 09 Oct 2011 22:08:22 -0800

If the router is working fine otherwise, I wouldn't replace it. I'd see if there's a newer version of the firmware available from Linksys, though.

By: McCoy Pauley

McCoy Pauley — Mon, 10 Oct 2011 08:25:13 -0800

The biggest indicator that your router is confused is this guy:

Description: SYN flood

Count: 84

Last Occurrence: SUN OCT 09 20:23:49 2011

Target: 192.168.0.12:61838

Source: 205.203.140.1:80

The source port is 80 (HTTP), and the destination port is a random high port (61838). That means that the the webserver is responding to your client with a SYN/ACK after the client has already initiated the connection. (In terms of free hugs' explanation, this traffic is all from step 2, "Oh hi, do you want to talk?") It's not an attack coming from outside, it's a server on the internet responding to a bunch of requests that your client already sent to it.

So if the router is triggering a SYN flood warning on what's actually a bunch of SYN/ACK responses, then it's got a lousy detection algorithm for SYN floods. Agreed that you don't have anything to worry about here, and this by itself is not enough reason to replace the router.

By: CautionToTheWind

CautionToTheWind — Mon, 10 Oct 2011 08:29:35 -0800

This could also happen if your connection is throttled, and badly so. If they throttle it wrong, you will have multi-second periods of no connectivity, after which all traffic of those seconds arrives together. If a server sends you SYN/ACK and gets no response, it will send several more. If they all arrive at the same time, it will look like a syn flood.

Then it would not be your router's fault, but your ISP's fault. If your connection seems to hang for a few seconds every now and then, look into it.

By: meese

meese — Mon, 10 Oct 2011 10:42:07 -0800

I have actually been frustrated lately about my connection seeming to hang for a few seconds every now and then. I was blaming that on my router, too. I'll be calling Comcast about this soon.

Thanks, everyone. I feel much relieved, and also a little excited that perchance my connection could possibly become improved!

By: CautionToTheWind

CautionToTheWind — Tue, 11 Oct 2011 02:44:25 -0800

I had this throttling problem. It takes hours before they will even escalate your call to someone who can conceptually understand what throttling is. I doubt they will change their policy for you.

My "solution" was to buy internet from another company and keep both connections until the contract of the first crappy one expired. I hated it but I needed Internet.