SYN Floods and modems

[ARYDANT]

I am on a Comcast cable network and subscribe to their lowest tier - Economy Plus - 3Mb/775Kb. I have found this to be sufficient for everything the two of us do. Surfing, streaming and the occasional file download. I figure Comcast has sold most everyone on higher tiers than they need. They are heavy on sales.

Recently we have been experiencing some slow page loading and my speeds have tested poor intermittently. We run 2 laptops and 2 PCs with Win7.

After system testing and purging, I took a look at my Gateway router (WCG200 v2) log. Here is a sample:

Description Count Last Occurence Target Source

TCP- or UDP-based Port Scan 10 Mon Feb 17 20:20:19 2014 107.2.119.160:51969 75.75.76.76:53

SYN Flood 69 Mon Feb 17 20:20:31 2014 192.168.0.10:58897 64.94.107.14:80

TCP- or UDP-based Port Scan 1 Mon Feb 17 20:22:48 2014 107.2.119.160:55292 8.8.8.8:53

SYN Flood 630 Mon Feb 17 20:28:16 2014 192.168.0.11:52604 173.194.133.203:44

So, it looks like someone has launched a denial of service attack at my system and perhaps this is causing my hiccups.

I called Comcast and described the problem. Immediately the agent told me that my Gateway router was too old and didn't have enough speed or security and I need to get a new one with "not to be too geeky", DOCSIS 3, N wifi and WPA2. This would increase my speed and security.

This is not the first time they have tried to sell me on buying a new modem.

I explained to her that with Economy Plus I had nothing to gain by moving to a DOCSIS 3 modem, my G WiFi is just fine and I already have WPA2 and that I am an engineer so technical stuff doesn't scare me.

She ended up suggesting that I change my DNS server to one that is faster and has better security like "Level 3" and this will stop the DofS attacks.

On the WCG200 I can't figure out how to accomplish this.

~and~

Should I really consider getting a new modem and router? It seems overkill unless a new one will allow me to change my DNS?

 

[Red Squirrel]

Call them up again, and ask if your bandwidth is being saturated. If it's not, then they may be right, the router is not handling it. If your connection is saturated, then it does not really matter how powerful the router is, the DoS is saturating the link and would need to be stopped before (which they probably wont do, this is not easy to mitigate). Chances are this is not a targeted attack though, probably some random syn flood type traffic that's being picked up. Plug a laptop or other device directly into the modem to see if you can run a packet sniff just to get an idea of how much traffic there is.

You could also change your mac address in the router (just randomize to something else) and release/renew your IP. This will force you to get a new IP.

Have you been running torrents by any chance? This "syn attack" may simply be clients trying to connect to you. When I had a low end connection this traffic would be enough to slow me down but it would eventually wind down.

 

[ARYDANT]

I got home from work today and ran a scan of my router on the "Sheilds Up" site. This reported a robust firewall with no vulnerabilities that they could find.

I called Comcast security and told them I was dealing with DoS attacks on my system. They told me this was difficult to stop and since I have a dynamic IP the attacks will stop if I obtain a new one. He instructed me to shut off my router for 12 hours and a new one will be assigned when I restart.

In the meantime I have been watching my Admin Log and there were new events happening.

There were IP packet and LAN SIDE SYN FLOODS messages appearing. At one point my connection dropped and I saw a message about something that was changed - sorry I don't have specifics because its was changing quickly and I didn't understand what was going on.

After seeing the LAN SIDE SYN FLOOD I figured my router had been breached and my computer was targeting other IP addresses around the world. I shut the router off.

Today I found that in the past week The Moon worm has been infecting older Linksys home routers with stock firmware.

http://https://isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633

 

[Red Squirrel]

You don't have to wait 12 hours. Release your IP, change your MAC address, and renew your IP. The DHCP server will think it's a different device and give you another IP address.

But yeah if your router falls under that exploit time to get a different one. Personally I'm a fan of DIY solutions like pfsense, it seems all these home grade routers have backdoors and crap these days.

 

[ARYDANT]

The WCG200 has a MAC address printed on the enclosure. This is what I give to the IP provider when setting up DHCP. I don't see anywhere that this can be changed in the configuration menu.

A newer modem and router might have more options.

I do have WRT54G hooked up down stream and I could use that with a newer modem and perhaps install DD-WRT.

 

[ARYDANT]

.......of course, since I don't have the Linux WRT54GL, I can't do that.

I haven't run any torrents in a few years.

I spent several hours and called 10 numbers last night with Comcast. Comcast couldn't figure out how to give me a new WAN IP address. Guess where there dumped me?

support.com:twisted:



Without looking at any logs they flatly told me that I had "The BOT Virus" and I could pay them to help me get rid of it.

I told him I was suspicious and would like to investigate for myself.

If there is anything on my system it isn't causing the SYN Flooding. Most likely there is a Bot Net that is trying to gain control of my system.

I think you are right squirrel, I need to change my MAC. The only way I can do that is by using a different modem in my system because the WCG200 has an integrated router. Then I can use the WRT54 MAC to get a new WAN IP.

Comcast has made me irate a number of times in the years that I have been a customer. Fortunately for them, Qwest was even worse.

 

[azazel1024]

Without better logs or knowing more about the modem, I'd assume not a DoS SYN flood attack. It very well might just be that the modem can't keep up with a bad connection. A typical hand shake is syn, ack, syn. If the ack packets are getting dropped for some reason, it would be similar to a syn attack, but assumedly it wouldn't go on and on.

No idea what kind of threshold dropped ack packets would be for the modem to log "syn flood". It could simply be a poor connection to something.

With a 3mb/775kb connection and an old cable modem, its not going to keep up with much. An arthritic telegrapher can send morse code faster.

You could have something going on, certainly. Considering how cheap it is, I'd look at a newer cable modem and work from there.

 

[ARYDANT]

I picked up a new Cisco DOCSIS 3 modem from Comcast. I setup my WRT54GS router on to that.

After the connection was established, page loads were much faster. Streaming video was also dramatically improved and the logs were empty.

Speed tests were marginally faster, but it was the actual performance that showed the benefits of the change.

If this was simply a matter of the modem not being able to handle the signal, it is odd that it degraded so rapidly. In comparison to the new modem, it went from mediocre to intermittently poor suddenly. Even so, the WCG200 was under-performing regardless of any SYN attack that may have been made on it.

Comcast was completely incompetent in assisting me with this problem. Now all I have to do is try to get all that on-hold light jazz ear worm out of head.

Thanks for your help. Next time I will have a problem I will have probably forgotten all of this, but maybe this thread will be of help to others in future.