Discussion in 'Cisco Small Business Routers and VPN Solutions' started by mhakman, Oct 10, 2006.

  1. mhakman

    mhakman Network Guru Member

    I just upgraded firmware in my RV082 to version 1.3.2. In my syslog I get a lot of messages like this:

    RGFW_RATELIMIT: x messages of type BLOCK-SYNFLOOD reported y second(s) ago.

    I don’t see these messages in the internal logs in RV082, only in syslog.

    It seems improbable that I’m under almost constant synflood attack. Could anybody explain what this message means in this case, what is its cause, and what is its effect?

  2. net_eng

    net_eng Network Guru Member

    This happens to be alot and is not necessarily an attack. On my network when dozens of Windows PC's broadcast netbios, my rv042 also sends the synflood alert to syslog. Its basically when many simulatenous connections or traffic occur and reach the router, the router thinks its an attack and will log it as a syn-flood even if its not directed at the router.

    It would be nice to "tweak" these so you can avoid false positives.

    You can either put in access rules to allow or deny and not log if you can determine what the traffic is that is causing it, have your syslog server/software not log it or live with it :)
  3. mhakman

    mhakman Network Guru Member

    Many thanks for the explanation. Let me continue this topic in hope that Linksys engineers will read it.

    The question is not so much about logging of this false synflood as such but what does the router do when it thinks it is being flooded. Does it shutdown reception for a while? If so then this false synfloods should affect the performance? If the router does not block reception for a while then where is the defense in real synflood case?

    I log all the packets, both accepted and denied so I can see that there are only a small number of packets per second in all, then how can router draw the conclusion that there is a synflood attack going on? I would expect hundreds if not thousands of attempted TCP connections in order to judge this as a synflood attack. In my case we are talking about less than one packet per second (if the log shows them all). Most of the packets are accepted as they should and most of incoming packets are result of some outgoing connection. Then there is some internal Netbios and other traffic not shown in log but this is internal so it shouldn’t cause alert. Then there is some unwanted incoming traffic (Netbios and other things) which is denied as it should but this is very little. At last there is some IGMP traffic that the router accepts for some reason. I can not understand how this ebb could be interpreted as a flood.

    Also I didn’t have this behavior when using previous firmware version. To me it looks like a bug.

    Isn’t Netbios a UDP traffic? Doesn’t synflood need TCP? Isn’t SYN used only in TCP connection request? How do you say SYN in UDP?
  4. net_eng

    net_eng Network Guru Member

    I believe regardless of allow or deny, it appears it keeps track of connections and when a threshold is crossed, it sends an alert. It would be nice to be able to manually change this. I dont think its in the hundreds or thousands as one would imagine would be a flood but I dont know. I am going to try and create my own flood(starting with ICMP, then tcp then udp) to see if I can trigger an alert.

    I used ethereal to look at traffic and I only saw netbios before and after the alert triggered though it could be a coincidence(if its delayed), I will look into this in more detail.

    IGMP: its allowed by default incoming. The only way I have found to block this is to put in a default deny all incoming access rule after all my allows. Its there for multicast but it should be disallowed unless you enabled multicast forwarding. Its to avoid support calls I guess.

    I will post anything new I find.
  5. mhakman

    mhakman Network Guru Member

    I posted following question to Linksys Technical Support:

    “Would you please explain the technical details of when and how these messages are generated? If possible, I would like to know what protocols on what interfaces with what packet frequency that cause this message. Also, what does the router do besides generating messages; does it block reception of network packets for a while? Only offending type/address of packets or all?â€

    I’ll keep this thread informed about the results.
  6. WmArnold1

    WmArnold1 LI Guru Member

    Hi - I've been getting these SYN_FLOOD blocks ever since I upgraded to v1.3.2 too

    The real PROBLEM is that they can't be turned off - even when you disable the DOS alarms on the firewall settings page. [sigh]

    Today; I upgraded to v1.3.3.5 - and, SYN_FLOOD's are still being reported.

    Btw; I'm using P2P software ==> www.bitComet.com - Are you using any P2P software that utilizes a distributed-hash-table?

    Looking forward to your reply,

    William Arnold ~ Indianapolis
  7. mhakman

    mhakman Network Guru Member

    Not as far as I know. I get these messages even when there is almost no traffic at all, at least no traffic reported in the logs.

    I got answer from “first line†Linksys Technical Support that they passed my question to the development. So, I’m waiting for their response now. I’ll publish the response here as soon as get it.

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice