cancel
Showing results for 
Search instead for 
Did you mean: 

Strange Happenings

JamesM
Grafter
Posts: 1,103
Registered: ‎24-06-2009

Strange Happenings

I am having difficulty opening web pages and when I look in my router logs I find all these.

09/05/2013 00:24:12  **SYN Flood**
09/05/2013 00:24:12  **SYN Flood** 
09/05/2013 00:24:12  **SYN Flood** 
09/05/2013 00:24:12  **SYN Flood**  (from ATM1 Outbound)
09/05/2013 00:24:12  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:11  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:24:10  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:23:13  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:23:04  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:23:04  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:23:03  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:23:02  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:23:01  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:22:59  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:22:59  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:22:58  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:22:58  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:22:58  **SYN Flood** (from ATM1 Inbound)
09/05/2013 00:22:52  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:22:52  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:22:52  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:22:52  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:22:52  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:22:52  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:22:52  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:22:52  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:22:52  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:22:52  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:22:52  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:22:52  **SYN Flood**  (from ATM1 Outbound)
09/05/2013 00:22:52  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:22:52  **SYN Flood** (from ATM1 Outbound)
09/05/2013 00:22:52  **SYN Flood** (from ATM1 Outbound)
I also find these in my Event viewer
"Your computer was not able to renew its address from the network (from the DHCP server)"
"A server error occurred. Check that the server is available."
"The IP address lease for the network card with network address has been denied by the DHCP server (The DHCP server sent a DHCPNACK message)"
"Name resolution for the toredo IPV6.microsoft.com timed out after none of the configured DNS servers responded"
and loads of other "timed out after none of the configured DNS servers responded" isatap.lan, dns.msftncsi.com, isatap.Belkin,
I have tried googling them all but I can't find much info, I don't know whether I am getting DDOS attacked, if there is something wrong with my network, or am I just being paranoid ?
12 REPLIES 12
adamwalker
Plusnet Help Team
Plusnet Help Team
Posts: 16,871
Thanks: 882
Fixes: 221
Registered: ‎27-04-2007

Re: Strange Happenings

Hi JamesM,
I'm not sure if the two things tie together (i.e what you've seen on the router logs and the browsing issues). But the multiple instances of "**SYN Flood**" usually means the router is picking up multiple attempts to open a TCP connection to the router.
AFAIK that could be the router interpreting an issue with a dropping connection (which isn't really reflected on our connection logs) IMHO that's more likely than a DDOS but do your router logs not show an originating IP?
Adam
If this post resolved your issue please click the 'This fixed my problem' button
 Adam Walker
 Plusnet Help Team
JamesM
Grafter
Posts: 1,103
Registered: ‎24-06-2009

Re: Strange Happenings

Here you go Adam,
Removed,
                                       
My connection just hangs because of all the traffic. I normally get loads of inbound, but these are nearly all outbound.
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: Strange Happenings

My first thought is which machine on the network is generating the outputs and once identifying it find out which application is doing it.
I would also check using malwarebytes to see if it had any nasties assuming it is a Win PC
A quick check via VirusTotal indicates a suspected virus
JamesM
Grafter
Posts: 1,103
Registered: ‎24-06-2009

Re: Strange Happenings

I have just read this in another forum from 2009: How come the person who this was happening to 4 years ago has the same 192.168.2.2 as me ?
"The traffic is being initiated by a box on your network in this instance 192.168.2.2. So the syn flood is actually coming from your network, not the other way around. How many machines are their on your network. Are you able to provide other ip's that show up on the syn flood attack? Might narrow it down a bit more. It's a pain trying to troubleshoot these things remotely when you don't have access to the machine in question. More ip's might point us in the right direction...."
I will check the malwarebytes OJ, also on my network, I have my computer and a Freesat box, Freesat box is turned off at the mains.
Edit, I have just checked my router DHCP client list and my Mobile was on there too, it was not connected though, anyway I have disabled wifi on my router and the syn floods have slowed down to 2 a minute. So it looks like my mobile phone was the culprit. The only thing I use my mobile for though is checking the weather, and occasionally IMDB and I am not on contract so as soon as I check the weather, I turn the wifi off on my phone.
Thanks for pointing me in the right direction, Oldjim,  Cool
I am also thinking that my Mobile is causing the event viewer errors too.
Edit 2,
I am still getting loads of SYN floods, it seems to happen as soon as I open up my web browser homepage, MSN. I have installed Malwarebytes and nothing was found.  Smiley
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: Strange Happenings

Can you clarify - is it opening the browser or is it opening the browser with MSN homepage
If you go away from the homepage or if you change the homepage does it stop
JamesM
Grafter
Posts: 1,103
Registered: ‎24-06-2009

Re: Strange Happenings

This is what I get when I changed to PN as my homepage as open up my browser.

seems strange though that it has only just started happening with having MSN as my homepage, as I have had it as my home page for probably 10 years or longer.
With MSN as my homepage
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: Strange Happenings

Doesn't seem much different or did it stop after 12:34:57
JamesM
Grafter
Posts: 1,103
Registered: ‎24-06-2009

Re: Strange Happenings

It stopped at 12:34:57,PN only gave me 4 entries.  I then cleared the logs and opened up MSN homepage and that gave me 40 entries.
I guess I will just keep an eye on it and see if it rectifies itself again.
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Strange Happenings

How old is the Belkin? router? Perhaps its threshold for detecting a flood is just too low for modern complex websites. Perhaps MSN changed their homepage to allow all the links on it to be prefetched, resulting in loading the MSN webpage causing more connections to be made.
JamesM
Grafter
Posts: 1,103
Registered: ‎24-06-2009

Re: Strange Happenings

I bought it when I was switched to ADSL2 so maybe 3 - 4 years, I can't find on my account when I switched to 21CN, as that is when I bought the router.
This is what happens when I fire up a game online.

and it just keeps going, I am wondering if all this bandwidth being used is affecting my gaming like it is leaving web pages hanging ?
Edit, Now I am ingame, the floods have stopped, so it has nothing to do with gaming. Maybe you are right ejs, the Belkin has strange security and decides to tell you everything, and really it is no big deal. Maybe it happens to everyone, but only the Belkin routers make note of it. I guess the only thing about it that bothers me is, it stops for a few weeks then comes back with avengeance, and when it comes back, that is when webpages fail to open as though the floods are taking so much bandwidth that it slows my internet to a crawl, but it is only some webpages some of the time, for example I will try and open the creative soundblaster website and it will just hang until an error comes up, yet I can open other pages. When I try and open PN it will just hang, then 5 minutes later it will open as quick as a flash.
Three or four months until I get fibre (fingers crossed) so I will be buying a ASUS router.
                                       
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Strange Happenings

I think you've misunderstood what I said earlier. I was suggesting that your problem is that the Belkin router is incorrectly classing valid attempts to open webpages as floods. It's not the Belkin router telling you everything that other routers don't, nor is it that these floods are taking up the bandwidth. It's a false positive from the router firewall, it's blocking traffic it should be allowing.
JamesM
Grafter
Posts: 1,103
Registered: ‎24-06-2009

Re: Strange Happenings

Thanks ejs, I have got it now, what I have done is turn my router firewall off and then back on again and all the SYN floods have stopped. I haven't a clue why that has fixed it, but at least I know what to do in the future when it starts happening again.