Please help me! Syn floods from Vietnam :o

Discussion in 'Tomato Firmware' started by darkknight93, May 12, 2013.

  1. darkknight93

    darkknight93 Networkin' Nut Member

    Good afternoon!

    I have never been more confused than today. I wondered why my Asus RT-N66U is responding so extemely slow - webinterface took approx. 5 min to load, CPU Load was 2/2/2!!

    Here's a screenshot from Wireshark at that time. I recorded 10 seconds and received 83 466 SYN Requests!
    I'm really confused WHY i see that on my local Network! I have the public IP 178.27.218.x8! I have Tunnelbroker (Hurrican Electric) but due there is not a single IPv6 Address listed...

    Can anyone explain me what sh*t that is? Syn flooding? DDOS? But why on this IP's? Why me? <-- Okay this sounds religous a Little bit :eek:


    Is there any way to block syn floods via iptables?

    Many thanks in advance!
  2. philess

    philess Networkin' Nut Member

    darkknight93 likes this.
  3. darkknight93

    darkknight93 Networkin' Nut Member

    Thanks for your respond! I've just enabled "Syn Cookies". At the Moment i try to figure out how they work and do but the Basic idea is Kind of cool I have to say!

    Are SYN floods normal? Or is there any reason now to worry about that? I mean... I dont want to be a "target" ^^

    Does Tomato log anywhere when syn-flood is Happening in the syslog e.g.? :)
  4. philess

    philess Networkin' Nut Member

    I dont think there is reason to be worried in your case, it will probably stop after a while.
    It doenst help that using Tunnelbroker requires your router to respond to ping when
    it is updating the tunnel endpoint. Maybe it would help if you used a custom script
    instead in WANUP instead of using the builtin DDNS settings.

    - Enable "Respond to PING" in nvram
    - Restart Firewall service
    - Update Tunnelbroker with new IP
    - Disable "Respond to PING"
    - Restart Firewall service again

    Probably there is a more elegant way to do this, its just an idea on my part.
    No responding to pings certainly could reduce the chance for some random kid to
    target your public IP, but of course its not guaranteed. Just less likely i think.

    I dont think Tomato can watch out for syn-flood by itself, but i think there are
    additional tools that you could use for that. Might not be easy to set up tho.
    darkknight93 likes this.
  5. darkknight93

    darkknight93 Networkin' Nut Member

    Infact thanks for your Input! I have following iptables roule to only allow ping from Tunnelbroker HE Services:

    #Tunnelbroker Ping
    iptables -I INPUT 2 -s -p icmp -j ACCEPT
    I now changed my public ssh Access to a random port, so port 22 is closed now too. Lets just grab a shield and hide behind it :)
    philess likes this.
  6. philess

    philess Networkin' Nut Member

    Oh thats actually a nice and clever approach! Thanks for posting that rule.
  7. Marcel Tunks

    Marcel Tunks Networkin' Nut Member

    I think somebody was just trying to test your cooling solution. Maybe time to break out the dry ice again?

    Seriously though, I learned a lot from this brief thread. Good work guys (and fast, too!)
  8. darkknight93

    darkknight93 Networkin' Nut Member

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice