Router log entrys.
Results 1 to 8 of 8

Thread: Router log entrys.

  1. #1
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696

    Lightbulb Router log entrys.

    Hello,

    Could someone solve an discussion I am having with a collegue at the moment, we have different opinions on what the below mentioned log entrys could mean and what could be causing them - naturally I am right - but just to shut him up once and for all, could someone post their opinion of it?


    28.02.2006 17:09:12 **SYN Flood to Host** 192.168.2.2, 3785->>

    28.02.2006 19:03:20 **SYN Flood to Host** 192.168.2.4, 1402->>

    28.02.2006 19:08:56 **SYN Flood to Host** 192.168.2.4, 1523->>

    01.03.2006 13:59:16 **SYN Flood to Host** 192.168.2.4, 1513->>

    They are from a wireless router that only has one WS hardwired to it and one WS on Wi-Fi to it.

    Thanks guys!

    I do rather hope you all agree with my version of what it means!..............
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    First question I have to ask is "what is the threshold for a SYN flood to trip?"

    If it was a single IP then I wouldn't ask that, I'd look at the host.... but since your log shows two IP's I wonder if the threshold is set too low....

    There's a gazillion web sites out there that call a gazillion of other pages that could "imitate" a SYN flood if the threshold is too low.

    Not much help in your argument but it's my $2 worth...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Banned
    Join Date
    Apr 2003
    Posts
    1,146
    I see different types of router reports on a daily basis. I assume this is Date, Time, Protocol, SourceIP?, and # of events?

    The wired is the 192.168.2.2 and the wireless is 192.168.2.4? The host would be the wireless router, probably internal 192.168.2.1.

    Looks to me like you have attempts to connect outside of the router to something that was previously a static connection (like a share on another network) and either it is now being blocked at the router, or the share went bye-bye??

  4. #4
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Hi Rapier , no its, Date > Time > Event > Source Host > Source Port.
    Yoy spot on about the W/S & Host - My collegue is convinced that there is a Virus/Spyware/Keylogger etc installed on both hosts????

    I think it is nothing to be to worried about and tried to explain to him that if we did have something like this installed on both hosts, our AV Scanners, Spyware scanners etc would have picked it up.

    TS backed what I was saying perfectly
    "There's a gazillion web sites out there that call a gazillion of other pages that could "imitate" a SYN flood if the threshold is too low."

    Since we cant alter this, its "just one of them things" but it doesnt seem to satisfy my collegue who want to shut of our entire network from the internet untill this "Infection" has been found!!

    Just to explain the setup, this wireless router is one that someone has setup for our Network Admin dept so we can have our own, internet connection and not have to go through the networks default gateway. (So we get to use our hotmail, view AO etc in work. It has its own internet connection)
    However it is connected to the network so we can still get access to any server resouces we need.

    IMO its nothing to worry about - In his opinion, its the end of the world and dooms day is near!

    Any suggestions/ thoughts?
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I say packet capture the events and see what it is.... Then he'll shut up...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Banned
    Join Date
    Apr 2003
    Posts
    1,146
    Tiger is right, you should capture the traffic and analyze it. My concern, were this set up on my own network is that you seem to have a wireless router that is multi-homed? Both having it's own internet access and access to the internal network? Is that what you were saying?

    Doesn't that constitute a network bridge and possibly violate a security policy standard?

    Without the event count and a time period, it is hard to say how much this "SYN Flood" is a real issue, but I agree with Tiger on getting a packet capture. Run something on the inside of the router and another on the outside and take a look. See if there is a correlation between the traffic in and out of the router's external IP(s) and the traffic on the inside private IP(s).

    Backtrack all the outside network IP traffic using SamSpade or some other tool. I like PingPlotter for finding the source IPs. That will tell you if all the connections being made are legit. If you have a keylogger or other trojan, it will show up there.

  7. #7
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Hi,

    Yep, rapier thats what im saying! I dont really have any say in the matter - its common sense to me not to have it - but the daprtment head set it up - and its his neck on the line if something goes wrong with it, so it doesnt really bother me either way, I just enjoy the unrestricted internet access!

    I dont work in the department, I just train the employees but I work out of his dept, when I started there I tried to tell him what a pretty stupid thing he had done, but I dont think I was too polite when I told him, I was semi in shock that the Head of the IT support dept had an unauthorised wireless router connected to his network. Be I got told to shut up and go away.

    Now there are a few annomolys in his log, he has started to panic. Wants to shut the ENTIRE network down untill he has completed a complete security scan - hes trying to pass it off as an Annual Security Audit! Go figure!

    I suggested capturing the packets and anyalising them but he is the type of person that wont listen to anyone else and his opinion is always right!

    I have a gut feeling that it is not too serious an issue as if there was something untoward on the boxs, there would be more than a few syn floods in the logs!

    I will show him your posts, maybe three other opinions of packet anylising will change his mind.

    I wouldnt normaly be to arsed but because I work out of his dept, if something like this was to become common knowledge, I would be assosiated with it - obviously I dont want to have anything to do with this idiot and his idiotic ideas!

    Yes I hope he reads this too when I show him the thread.



    You wouldnt think the company I work for is one of the largest Telecom providers in the world!
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  8. #8
    Banned
    Join Date
    Apr 2003
    Posts
    1,146
    Good luck, Nokia. Hope all this helps.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •