Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
IDS proto parser :tcp data on syn segment - Security Threat?
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- Re: IDS proto parser :tcp data on syn segment - Se...
IDS proto parser :tcp data on syn segment - Security Threat?
13-03-2011 12:33 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
For the last three or four days my Thomson router has been logging security events similar to those reported in a recent topic here and an older topic here. I've pasted my latest three security events below (the xxxs are my own IP address)
Mar 13 08:55:34 IDS proto parser : tcp data on syn segment (1 of 1) : 91.205.41.75 xx.xxx.xxx.xxx 0040 TCP 80->54408 [S.A...] seq 3927001349 ack 2231327393 win 622
Mar 13 07:06:37 IDS proto parser : tcp data on syn segment (1 of 1) : 91.205.41.75 xx.xxx.xxx.xxx 0040 TCP 80->9557 [S.A...] seq 4189936645 ack 216172890 win 316
Mar 13 06:47:16 IDS proto parser : tcp data on syn segment (1 of 1) : 91.205.41.75 xx.xxx.xxx.xxx 0040 TCP 80->11788 [S.A...] seq 1172275716 ack 709308166 win 391
To be honest I'm clueless about tracing server details etc. and assessing security threats. But I did attempt a somewhat naive Google search for 91.205.41.75 which (if I understood correctly) suggested that "Dragonara Alliance Ltd" and/or "Cs-monitoring.ru" might be linked to that IP address? But I was left most concerned because of my chancing upon this Offensive IP Database page which (again if I'm understanding correctly) does tend to concur with my own experience by implicating that the site 91.205.41.75 has indeed been involved in offensive action from 9th March 2011 (about the time when I first starting seeing my own security events logged).
I've no idea if I'm worrying unduly or if this behaviour is likely to cease given time? I'd appreciate it if someone more clued up in security related matters could advise me further about what might be going on and whether there's any serious cause for concern?
Thanks
Mar 13 08:55:34 IDS proto parser : tcp data on syn segment (1 of 1) : 91.205.41.75 xx.xxx.xxx.xxx 0040 TCP 80->54408 [S.A...] seq 3927001349 ack 2231327393 win 622
Mar 13 07:06:37 IDS proto parser : tcp data on syn segment (1 of 1) : 91.205.41.75 xx.xxx.xxx.xxx 0040 TCP 80->9557 [S.A...] seq 4189936645 ack 216172890 win 316
Mar 13 06:47:16 IDS proto parser : tcp data on syn segment (1 of 1) : 91.205.41.75 xx.xxx.xxx.xxx 0040 TCP 80->11788 [S.A...] seq 1172275716 ack 709308166 win 391
To be honest I'm clueless about tracing server details etc. and assessing security threats. But I did attempt a somewhat naive Google search for 91.205.41.75 which (if I understood correctly) suggested that "Dragonara Alliance Ltd" and/or "Cs-monitoring.ru" might be linked to that IP address? But I was left most concerned because of my chancing upon this Offensive IP Database page which (again if I'm understanding correctly) does tend to concur with my own experience by implicating that the site 91.205.41.75 has indeed been involved in offensive action from 9th March 2011 (about the time when I first starting seeing my own security events logged).
I've no idea if I'm worrying unduly or if this behaviour is likely to cease given time? I'd appreciate it if someone more clued up in security related matters could advise me further about what might be going on and whether there's any serious cause for concern?
Thanks
Message 1 of 7
(9,382 Views)
6 REPLIES 6
Re: IDS proto parser :tcp data on syn segment - Security Threat?
13-03-2011 2:12 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I think "IDS" is probably Intrusion Detection System (on your router) and "tcp data on syn segment" means the packet carries data which properly constructed syn segments don't. So it is very likely that the source computer is probing your connection trying to find a vulnerability - different destination ports are being tried. Your router is blocking these (hopefully all of them, not just the ones reported in the log). So no major cause for concern but be doubly careful when responding to any access authorisation prompts (eg for allowing software updates).
I doubt there is a way to stop them (though if you have a dynamic IP disconnecting from Plusnet and reconnecting might get you a different IP which is not being targeted). However after a few days without success it looks like the probes stop.
The source is indeed one with a .ru domain, but operating through an ISP registered in British Virgin Islands. Hmmm ...
I doubt there is a way to stop them (though if you have a dynamic IP disconnecting from Plusnet and reconnecting might get you a different IP which is not being targeted). However after a few days without success it looks like the probes stop.
The source is indeed one with a .ru domain, but operating through an ISP registered in British Virgin Islands. Hmmm ...
David
Message 2 of 7
(1,873 Views)
Re: IDS proto parser :tcp data on syn segment - Security Threat?
13-03-2011 3:06 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Many thanks indeed, spraxyt. There's much to muse upon in your extremely helpful comments.
Message 3 of 7
(1,873 Views)
Re: IDS proto parser :tcp data on syn segment - Security Threat?
13-03-2011 5:02 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Just a little off-topic but I sometimes wonder of Spraxyt is to PlusNet what the Stig is to Top Gear
Call me 'w23'
At any given moment in the universe many things happen. Coincidence is a matter of how close these events are in space, time and relationship.
Opinions expressed in forum posts are those of the poster, others may have different views.
At any given moment in the universe many things happen. Coincidence is a matter of how close these events are in space, time and relationship.
Opinions expressed in forum posts are those of the poster, others may have different views.
Message 4 of 7
(1,873 Views)
Re: IDS proto parser :tcp data on syn segment - Security Threat?
13-03-2011 11:02 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Interesting analogy, though I don't own white overalls.
David
Message 5 of 7
(1,873 Views)
Re: IDS proto parser :tcp data on syn segment - Security Threat?
14-03-2011 1:15 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Some say he's a ninja at weekends, and that his sword is so sharp it can only be honed by angling it correctly to catch the light from the sunrise. All we know is...
Message 6 of 7
(1,873 Views)
Re: IDS proto parser :tcp data on syn segment - Security Threat?
14-03-2011 1:51 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Nice one Matt.....well up to your usual standard
Windows 10 Firefox 109.0 (64-bit)
To argue with someone who has renounced the use of reason is like administering medicine to the dead - Thomas Paine
To argue with someone who has renounced the use of reason is like administering medicine to the dead - Thomas Paine
Message 7 of 7
(1,873 Views)
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- Re: IDS proto parser :tcp data on syn segment - Se...