1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

TCP SYN FLOOD? I need help.

Discussion in 'Networking' started by cajun190, May 25, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. cajun190

    cajun190 Thread Starter

    Joined:
    May 21, 2007
    Messages:
    6
    New Member here - I have tried to solve this problem via internet search and my own uninformed efforts - without much luck.-- Hoping someone here can help me. If this isnt the right forum for this question please advise. I have had a home network with a older Belkin router serving 2 wireless PC's (family) and one wired (my main PC). Am using standard DHCP modes etc .Some time ago we started experiencing occasional strange outages on the PC's for which I had no good explanation -- IE would just quit working for no obvious reason and the PC would need to be rebooted etc to get IE browser connections. Shortly thereafter my son's PC obviously became infected ( Happy 888 plus other gremlins) - which got me seriously involved with finding out what was going wrong. I have cleaned all 3 PC's using all the usual cleaners and HJT, while keeping the wireless PC's offline. This is when I was able to catch the current problem ( I think) on my wired PC [WinXP S1A]. Whatever the problem, it has been shutting down the IE connection about once a day. After a recent shutdown I looked at the security log of the router and this is what it revealed: (xxx.xxx. my revision)

    2007/05/23 12:13:09 ** TCP SYN Flooding ** <IP/TCP> 199.203.243.104:80 ->> 76.187.xxx.xxx:46029
    2007/05/23 12:14:18 ** TCP SYN Flooding ** <IP/TCP> 192.168.2.4:3286 ->> 199.203.243.104:80
    2007/05/23 12:14:49 ** TCP SYN Flooding ** <IP/TCP> 192.168.2.4:3358 ->> 199.203.243.104:80
    2007/05/23 12:14:49 ** TCP SYN Flooding ** <IP/TCP> 199.203.243.104:80 ->> 76.187.xxx.xxx:40396
    2007/05/23 12:16:37 ** TCP SYN Flooding ** <IP/TCP> 199.203.243.104:80 ->> 76.187.xxx.xxx:40973
    2007/05/23 12:19:56 ** TCP SYN Flooding ** <IP/TCP> 192.168.2.4:3564 ->> 199.203.243.104:80

    After doing some search efforts I think I understand the problem but dont yet know how to stop or at least reduce this DOS flood attack ( or understand why it is me receiving it :mad: ).

    Am I on the right path ? Is there any possible solution to this ? Thanks in advance for any advice.
     
  2. O111111O

    O111111O

    Joined:
    Aug 26, 2005
    Messages:
    894
    Download tcpview from Microsoft.

    Looks like the events you're receiving are caused by you. The messages you're receiving are the tail end of SYN/ACK's or unreachables caused by one of your hosts trying to attach to random destination IP's.

    (You probably still have a virus.)

    ---

    Just to be sure. Get tcpview. See if any of your systems have a huge amount of TCP wait or TCP SYN's queued up.
     
  3. jason2713

    jason2713

    Joined:
    May 25, 2007
    Messages:
    92
    this sounds great. i hope this works, please let us know.
     
  4. cajun190

    cajun190 Thread Starter

    Joined:
    May 21, 2007
    Messages:
    6
    thanks 01 ... I have no idea what this view means , altho the lsass isakmp looks not nothing that should be showing.... as i was furthere observing i saw a large number of TIME WAITS appear for this forum and a number of local host #'s ,, whatever that means?

    alg.exe:1556 TCP office-main:3004 office-main:0 LISTENING
    avgemc.exe:1648 TCP office-main:10110 office-main:0 LISTENING
    Ensign.exe:2832 TCP office-main:3022 office-main:0 LISTENING
    Ensign.exe:2832 TCP office-main:3022 localhost:7496 ESTABLISHED
    iexplore.exe:2456 UDP office-main:4923 *:*
    iexplore.exe:2916 UDP office-main:3366 *:*
    javaw.exe:2244 TCP office-main:3019 office-main:0 LISTENING
    javaw.exe:2244 TCP office-main:3020 office-main:0 LISTENING
    javaw.exe:2244 TCP office-main:3021 office-main:0 LISTENING
    javaw.exe:2244 TCP office-main:7496 office-main:0 LISTENING
    javaw.exe:2244 TCP office-main:7496 localhost:3022 ESTABLISHED
    javaw.exe:2244 TCP office-main.belkin:3019 gw1.ibllc.com:4000 ESTABLISHED
    javaw.exe:2244 TCP office-main.belkin:3020 mktgw1.ibllc.com:4000 ESTABLISHED
    javaw.exe:2244 TCP office-main.belkin:3021 mktgw1.ibllc.com:4000 ESTABLISHED
    lsass.exe:748 UDP office-main:isakmp *:*
    mirc.exe:3888 TCP office-main:3276 office-main:0 LISTENING
    mirc.exe:3888 TCP office-main.belkin:3276 othernetfn.com:6667 ESTABLISHED
    MSIMN.EXE:2628 UDP office-main:3043 *:*
    svchost.exe:1028 TCP office-main:1025 office-main:0 LISTENING
    svchost.exe:1028 TCP office-main:3005 office-main:0 LISTENING
    svchost.exe:1028 TCP office-main:3006 office-main:0 LISTENING
    svchost.exe:1028 UDP office-main:3249 *:*
    svchost.exe:1028 UDP office-main:ntp *:*
    svchost.exe:1028 UDP office-main.belkin:ntp *:*
    svchost.exe:1240 UDP office-main:1026 *:*
    svchost.exe:1240 UDP office-main:3387 *:*
    svchost.exe:1240 UDP office-main:4830 *:*
    svchost.exe:1272 TCP office-main:5000 office-main:0 LISTENING
    svchost.exe:1272 UDP office-main:1900 *:*
    svchost.exe:1272 UDP office-main.belkin:1900 *:*
    svchost.exe:928 TCP office-main:epmap office-main:0 LISTENING
    System:4 TCP office-main:microsoft-ds office-main:0 LISTENING
    System:4 TCP office-main:1029 office-main:0 LISTENING
    System:4 TCP office-main.belkin:netbios-ssn office-main:0 LISTENING
    System:4 UDP office-main:microsoft-ds *:*
    System:4 UDP office-main.belkin:netbios-ns *:*
    System:4 UDP office-main.belkin:netbios-dgm *:*
    vsmon.exe:1776 TCP office-main:3009 office-main:0 LISTENING
     
  5. O111111O

    O111111O

    Joined:
    Aug 26, 2005
    Messages:
    894
    Ok. Well. This PC looks ok. Java is connected to your day trader, and the TCP SYN flood you show is a technology holding firm. I should have looked at that a bit closer. The SYN flood probably a false alarm.

    The TCP FIN-WAIT's are pretty normal. It's what happens when a connection is closed.

    What you're looking for are an inordinate amount of TCP SYN's.

    Your original post stated that you had 3 PC's..... ?

    ---

    Before you start on the other PC's. Is it safe to assume that everything is working ok right now with this one PC or are you currently having issues with just this one PC up?
     
  6. cajun190

    cajun190 Thread Starter

    Joined:
    May 21, 2007
    Messages:
    6
    thanks, I currently have one wireless PC and this cat5 connection online.... when i did lose IE connectivity the wireless PC is not hindered and works normally ( if that helps) -- I have to reboot this PC to use IE when the problem happens -- nothfing i do with restarting the modem or router helps.. Where on this view do i see the TCP SYN's you mentioned ? When i ran netstat yday i saw some very large TIME WAIT numbers (6 figures) for some of the connections.. I presume those were number of seconds?
     
  7. O111111O

    O111111O

    Joined:
    Aug 26, 2005
    Messages:
    894
    Ok. So it's probably localized to this PC. So, methinks we're heading in the wrong direction.

    TCPVIEW is essentially netstat. The difference is that it's graphical/easy to window/runs real time and shows you what process is attached.

    When this happens again, fire up TCPVIEW and see what it says. Or, keep it running.

    The TimeWait # should be the source port number/sequence. You should only see those for a max of 5 minutes or so. The IP stack of your OS should close those out.

    This PC is wired, correct?

    When IE "quits working" are you able to ping anything from the command line (including your default gateway)
     
  8. cajun190

    cajun190 Thread Starter

    Joined:
    May 21, 2007
    Messages:
    6
    As I mentioned , when this happened the last time and IE quit responding (yday) some of the time wait numbers were huge and were just counting down .... I left the PC in the non-functioning state of a couple hours .. all that changed was the time wait numbers reduced a bit ... so i finally gave up and rebooted, assuming it was just counting time down (told you i dont know much about this stuff, but learning fast :) Yes this PC is wired to the router. As for the "ping" I did use ipconfig and netstat and received info while IE was in suspended state... but no CMD direct pings to router or external IP. My Mirc connections and financial connections continued to work -- just IE cratered. Also i see the UDP connections on tcpview show no info - is that because I have UDP blocked at router ( I thought that was only external connections coming in?)
    --Thanks so much for your help -- best thng now is wait for another episode and do ping and tcpview at that time? anything else like ipconfig etc? I am still suspicious of malicious intent here since the 3rd PC of my son was infested with virus and I have been running checks and cleaning his PC and this one too. His was off the network yday and has been off for a week or so, so whatever is happening isnt due now to his PC , altho his could have been a source i guess.
    Also my firewall is ZoneAlarm.
     
  9. O111111O

    O111111O

    Joined:
    Aug 26, 2005
    Messages:
    894
    Well. Honestly, zonealarm could be causing some of that now. It does some stateful firewall. The TCP FIN's are half closed connections. All it takes is a TCP reset sent with the correct source/destination/sequence to cause that.

    You only see UDP listening because it's a connectionless protocol. I certainly hope you don't block UDP as a whole on your firewall or Zonealarm. Many things such as DNS require it.

    The router? I'm assuimg you have some form of external wireless access-point/router? If you do, disable zonealarm if the issue happens again.

    Just keep using the PC at this point. Keep your eye on tcpview. Do ipconfig/ping. Try doing something like nslookup www.google.com from command prompt as well.

    If it's just IE, it could be something like Zonealarm/broke DLL post virii fix. If your other apps work (trading, etc), and you can ping from desktop then we've localized it to the app.

    Are you running some sort of AV/spyware software?

    BTW, I would suggest that you keep your kids off this PC. Change any of your passwords for your financial accounts. Can never be too careful when money is involved.......
     
  10. O111111O

    O111111O

    Joined:
    Aug 26, 2005
    Messages:
    894
    One other thought.

    If you become disconnected (with IE) again. After ascertaining if you can ping from command prompt, and grab tcpview output I would suggest you try:

    ipconfig /flushdns

    (This could be IE<>DNS hook issue.)

    Also, on other notes. Download firefox (www.mozilla.org). IE's great for certain sites, but I wouldn't trust it for general browsing.
     
  11. cajun190

    cajun190 Thread Starter

    Joined:
    May 21, 2007
    Messages:
    6
    ok will do .. I did the dnsflush but it didnt release IE from whatever problem was occurring. I will get back to you the next time it happens .... should I continue this thread or make new one?
     
  12. O111111O

    O111111O

    Joined:
    Aug 26, 2005
    Messages:
    894
    Might as well continue this thread.
     
  13. cajun190

    cajun190 Thread Starter

    Joined:
    May 21, 2007
    Messages:
    6
    ok, new findings here !

    To briefly review I have a Belkin router , 2-3 wireless PC's and one wired (the one i am discussing) The IE disconnect is happening only with the wired PC , not the wireless.

    The IE disconnect is happening about once a day when PC is left on continuously. I followed your suggestions and the ipconfig info looked ok,pings were answered by router and ISP dns server, flushing dns did not release the IE problem, and netview looked fine.

    So I disabled Zone Alarm as you suggested and the problem disappeared - immediate browser access to Internet. Immediately restarted ZA and the problem did not re-occur ...until next day.

    Toggled ZA and the problem is cured again. THANK YOU !

    Do you have any idea as to the ZA setting that would cause this? I may be doing something wrong with ZA as I have my local network classed as an INTERNET ZONE ( I am worried about the other wireless PC's being infected and want to isolate my wired PC from them as much as possible-- I do not want any file transfers,sharing etc from my business PC to the family wireless group. Is there a best way to do this and still keep ZA? or is ZA a waste/problem in this situation?

    Thanks so much for your help - I least now I have a method of getting past the hangup. And I have learned a lot !

    :))
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/577166

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice