Is my system under attack?

[Com807877]

Hi all,

Earlier today I noticed that I started to receive spam windows messenger pop ups. Now I immediatly wondered what was up as my router has *all* ports stelath or closed, and thus these messages can't get through.

Well I went to the Gibson Research site and used the Shield Up port probe they have. Surprise! Port 1025 was open. (it was the only port open) This is bizarre because I probed the ports 2 days ago and this port was NOT open. In fact, I have never seen a port open with this router until now. How can a port go open like this all of a sudden?

I checked the router log and this is what I see:

Aug/10/2003 23:34:13 SYN Flood Attack Detect Packet Dropped
Aug/10/2003 23:34:11 SYN Flood Attack Detect Packet Dropped
Aug/10/2003 23:34:10 SYN Flood Attack Detect Packet Dropped
Aug/10/2003 23:34:09 SYN Flood Attack Detect Packet Dropped
Aug/10/2003 23:34:08 SYN Flood Attack Detect Packet Dropped
Aug/10/2003 23:34:07 SYN Flood Attack Detect Packet Dropped
Aug/10/2003 23:34:06 SYN Flood Attack Detect Packet Dropped
Aug/10/2003 23:34:05 SYN Flood Attack Detect Packet Dropped
Aug/10/2003 23:34:04 SYN Flood Attack Detect Packet Dropped

Ok, so what exactly is an SYN flood attack?

I assume I've been targeted by someone.

Does anyone have any idea what they are trying to do, or what I should do to prevent something bad happening?

Thanks!

 

[skyking]

Port 1025 was open when you probed it because your machine was listening on that port for those messenger service pop-ups.
The protocol uses a port in the 130's, plus those higher ports, incremented by one as needed.
Turn off messenger service.
Start, control panel, administrative tools, services(local), messenger, click on that, disable, set to manual start.
As far as the syn flood detection, it sounds like your router is doing its job. Have you had an actual Denial of Service cooresponding with the timing of those detected and dropped packets? If not, do not worry about it.

 

[Com807877]

Originally posted by: skyking
Port 1025 was open when you probed it because your machine was listening on that port for those messenger service pop-ups.
The protocol uses a port in the 130's, plus those higher ports, incremented by one as needed.
Turn off messenger service.
Start, control panel, administrative tools, services(local), messenger, click on that, disable, set to manual start.
As far as the syn flood detection, it sounds like your router is doing its job. Have you had an actual Denial of Service cooresponding with the timing of those detected and dropped packets? If not, do not worry about it.

This is not correct. That port has ALWAYS been stealthed with the messenger service active. The router does NOT open ports like that for Windows.

The messenger service is used on the LAN, but the router has NEVER accepted messages from the net.

This IP is always spammed with messanger spam, and they are always dropped before they can enter the LAN. The fact those messages were being received was just what tipped me off to a port being open.

 

[Macro2]

Run this just to be sure. Update the radius update file at the bottom of the page first.



TDS-3