cancel
Showing results for 
Search instead for 
Did you mean: 

IDS proto parser :tcp data on syn segment - Security Threat?

caulbox
Grafter
Posts: 176
Registered: 19-06-2009

IDS proto parser :tcp data on syn segment - Security Threat?

For the last three or four days my Thomson router has been logging security events similar to those reported in a recent topic here and an older topic here. I've pasted my latest three security events below (the xxxs are my own IP address)
Mar 13 08:55:34 IDS proto parser : tcp data on syn segment (1 of 1) : 91.205.41.75 xx.xxx.xxx.xxx 0040 TCP 80->54408 [S.A...] seq 3927001349 ack 2231327393 win 622
Mar 13 07:06:37 IDS proto parser : tcp data on syn segment (1 of 1) : 91.205.41.75 xx.xxx.xxx.xxx 0040 TCP 80->9557 [S.A...] seq 4189936645 ack 216172890 win 316
Mar 13 06:47:16 IDS proto parser : tcp data on syn segment (1 of 1) : 91.205.41.75 xx.xxx.xxx.xxx 0040 TCP 80->11788 [S.A...] seq 1172275716 ack 709308166 win 391
To be honest I'm clueless about tracing server details etc. and assessing security threats. But I did attempt a somewhat naive Google search for 91.205.41.75 which (if I understood correctly) suggested that "Dragonara Alliance Ltd" and/or  "Cs-monitoring.ru" might be linked to that IP address? But I was left most concerned because of my chancing upon this Offensive IP Database page which (again if I'm understanding correctly) does tend to concur with my own experience by implicating that the site 91.205.41.75 has indeed been involved in offensive action from 9th March 2011 (about the time when I first starting seeing my own security events logged).
I've no idea if I'm worrying unduly or if this behaviour is likely to cease given time? I'd appreciate it if someone more clued up in security related matters could advise me further about what might be going on and whether there's any serious cause for concern?
Thanks
6 REPLIES
Superuser
Superuser
Posts: 9,368
Thanks: 692
Fixes: 51
Registered: 06-04-2007

Re: IDS proto parser :tcp data on syn segment - Security Threat?

I think "IDS" is probably Intrusion Detection System (on your router) and "tcp data on syn segment" means the packet carries data which properly constructed syn segments don't. So it is very likely that the source computer is probing your connection trying to find a vulnerability - different destination ports are being tried. Your router is blocking these (hopefully all of them, not just the ones reported in the log). So no major cause for concern but be doubly careful when responding to any access authorisation prompts (eg for allowing software updates).
I doubt there is a way to stop them (though if you have a dynamic IP disconnecting from Plusnet and reconnecting might get you a different IP which is not being targeted). However after a few days without success it looks like the probes stop.
The source is indeed one with a .ru  domain, but operating through an ISP registered in British Virgin Islands. Hmmm ... Roll eyes
David
caulbox
Grafter
Posts: 176
Registered: 19-06-2009

Re: IDS proto parser :tcp data on syn segment - Security Threat?

Many thanks indeed, spraxyt. There's much to muse upon in your extremely helpful comments.
Community Veteran
Posts: 6,313
Thanks: 86
Fixes: 3
Registered: 08-01-2008

Re: IDS proto parser :tcp data on syn segment - Security Threat?

Just a little off-topic but I sometimes wonder of Spraxyt is to PlusNet what the Stig is to Top Gear Wink
Call me 'w23'
At any given moment in the universe many things happen. Coincidence is a matter of how close these events are in space, time and relationship.
Opinions expressed in forum posts are those of the poster, others may have different views.
Superuser
Superuser
Posts: 9,368
Thanks: 692
Fixes: 51
Registered: 06-04-2007

Re: IDS proto parser :tcp data on syn segment - Security Threat?

Interesting analogy, though I don't own white overalls. Grin
David
Plusnet Alumni (retired) orbrey
Plusnet Alumni (retired)
Posts: 10,540
Registered: 18-07-2007

Re: IDS proto parser :tcp data on syn segment - Security Threat?

Some say he's a ninja at weekends, and that his sword is so sharp it can only be honed by angling it correctly to catch the light from the sunrise. All we know is...
Moderator
Moderator
Posts: 26,172
Thanks: 1,322
Fixes: 58
Registered: 14-04-2007

Re: IDS proto parser :tcp data on syn segment - Security Threat?

Grin Nice one Matt.....well up to your usual standard Smiley

Customer and Forum Moderator.