topic Re: [SYN] Flood? in Tech Help - Software/Hardware etc

[SYN] Flood?

mhepplewhite — Wed, 12 Feb 2025 11:29:42 GMT

I am on a home broadband package with a small Pi home server. Port forwarding 443 to said server. Sometime in the recent past the router technical log shows incoming port forwards from remote IPs (seem to be mainly Brazil according to iplocation) at about 1 per second. IP is like A.B.C.D where A.B stays the same for a day or two but C.D changes. Wireshark capture shows server responds with [SYN, ACK] but there is no response from remote IP. Server resends a few times then a [RST] is received. Source location has also been identified as e.g. Korea.

No web pages are requested.

I am struggling to figure out what is going on or whether any defensive action is needed. Server loading seems to be minimal. Main impact seems to be that the PlusNet 2 router FW Log fills up in a short period.

Advice and insights gratefully received.

Re: [SYN] Flood?

Champnet — Wed, 12 Feb 2025 13:04:12 GMT

@mhepplewhite Any open port is going to attract unwanted attention. Syn Floods are just attempts to disrupt your system.
Nothing to worry about, I just ignore them unless further problems develop….

Re: [SYN] Flood?

outcast — Wed, 12 Feb 2025 13:09:17 GMT

@Champnet wrote:

... just ignore them unless further problems develop….

and if they DO become a problem, then Dave can take a look to see what can be done (see TCP SYN Attack / Changing IP )

Re: [SYN] Flood?

mhepplewhite — Wed, 12 Feb 2025 13:57:59 GMT

Thank you very much, reassuring. It's just that that port has been open for ages, and, as you say, various random IPs try out some standard things, but the repeated [SYN] thing is more recent.
Changing IP is a bit of a mixed blessing as various settings need to be updated.

Re: [SYN] Flood?

jab1 — Wed, 12 Feb 2025 14:21:09 GMT

@mhepplewhite Personally , wouldn’t worry, apart from filling up your log, this just proves the router is doing it’s job

Re: [SYN] Flood?

outcast — Wed, 12 Feb 2025 14:33:03 GMT

@mhepplewhite wrote:

I am on a home broadband package with a small Pi home server.

... ...

Main impact seems to be that the PlusNet 2 router FW Log fills up in a short period.

@mhepplewhite

As you are already tech savvy enough to build a Pi server, have you considered building a pfSense router ?

I use pfSense for many things, but related to your question, when I add a port forward, rather than having that port open to the world (as happens with the Plusnet Hub-2), I block ALL external access then add a firewall whitelist of allowed/known external IP addresses that can access that port - so as not to attract the attention of port scanners from anywhere in the world.

For example, I've configured my router's WAN port to reply to PING requests, but only specific test sites that I use (such as the ThinkBroadband BQM server) can see the open port.

Re: [SYN] Flood?

mhepplewhite — Wed, 12 Feb 2025 17:07:10 GMT

Thank you - I will consider such an option, thank you.

Re: [SYN] Flood?

outcast — Wed, 12 Feb 2025 17:12:42 GMT

Here are a few YouTube videos to give you an idea of what might be involved with building your own router.