Jump to content

SYN Flood


srdrake

Recommended Posts

Posted

Hi, i have a problem.. and i dont know if utorret is the cause...

so.. i have these log in the router

07/09/2006 08:46:06 **SYN Flood** 83.184.225.36, 4351->> 192.168.2.100, 32459 (from ATM1 Inbound)

07/09/2006 08:46:06 **SYN Flood** 83.180.128.118, 55639->> 192.168.2.100, 32459 (from ATM1 Inbound)

07/09/2006 08:46:03 **SYN Flood** 83.180.128.118, 55639->> 192.168.2.100, 32459 (from ATM1 Inbound)

07/09/2006 08:46:02 **SYN Flood** 88.148.60.236, 4409->> 192.168.2.100, 32459 (from ATM1 Inbound)

07/09/2006 08:46:00 **SYN Flood** 83.184.225.36, 4351->> 192.168.2.100, 32459 (from ATM1 Inbound)

07/09/2006 08:45:58 **SYN Flood** 88.148.60.236, 4397->> 192.168.2.100, 32459 (from ATM1 Inbound)

07/09/2006 08:45:57 **SYN Flood** 84.123.157.28, 1456->> 192.168.2.100, 32459 (from ATM1 Inbound)

07/09/2006 08:45:57 **SYN Flood** 88.148.60.236, 4409->> 192.168.2.100, 32459 (from ATM1 Inbound)

07/09/2006 08:45:57 **SYN Flood** 83.184.225.36, 4351->> 192.168.2.100, 32459 (from ATM1 Inbound)

07/09/2006 08:45:54 **SYN Flood** 88.148.60.236, 4412->> 192.168.2.100, 32459 (from ATM1 Inbound)

07/09/2006 08:45:53 **SYN Flood** 88.148.60.236, 4397->> 192.168.2.100, 32459 (from ATM1 Inbound)

07/09/2006 08:45:51 **SYN Flood** 84.123.157.28, 1456->> 192.168.2.100, 32459 (from ATM1 Inbound)

(and more and more ip´s)

so... the utorrent still downloading and uploading, but.. any web load.. i think so.. these IP´s are the people that i have download and upload.. but.. SYN Flood.. is a form of denial-of-service attack.

maybe is.. the number of connections in the config?how many in XP professional?

Thanks

Posted

I believe you're misinterperting the traffic.

Have you opened and forwarded the listen port of uTorrent for incoming connections?

If you haven't, you're bringing this "attack" on yourself. BT clients will wait when they negotiate a connection then find out the user is full.

Posted

Is DHT enabled by any chance?

Have you tried changing ports µTorrent uses after a few days/weeks of very heavy use?

Once you change ports, can your router block all traffic on the old port?

How high is your half-open connections set to?

And what about all the settings shown in Speed Guide (CTRL+G)?

Posted
I believe you're misinterperting the traffic.

Have you opened and forwarded the listen port of uTorrent for incoming connections?

If you haven't, you're bringing this "attack" on yourself. BT clients will wait when they negotiate a connection then find out the user is full.

the 32459 is open in the router for 192.168.2.100

so.. the rest.. i dont understand :(

Is DHT enabled by any chance?

Have you tried changing ports µTorrent uses after a few days/weeks of very heavy use?

Once you change ports, can your router block all traffic on the old port?

How high is your half-open connections set to?

And what about all the settings shown in Speed Guide (CTRL+G)?

sorry.. dont understand, what is DHT?

change ports¿? is necesary?

Posted

Linksys routers won't port forward properly to IP addresses within their DHCP range, so you probably aren't getting incoming connections.

The port you have selected indicates you're still using 1.5, which we no longer support.

Posted
Linksys routers won't port forward properly to IP addresses within their DHCP range, so you probably aren't getting incoming connections.

The port you have selected indicates you're still using 1.5, which we no longer support.

the router is a SMC 7904

"The port you have selected indicates you're still using 1.5, which we no longer support" but...

I can put the number of port that i want.. what problem ussing these port in 1.6¿?

thanks

Posted

ISPs are more likely to monitor or filter default ports.

The "problem" of not forwarding to DHCP range IPs isn't restricted to Linksys routers. You should consider trying a static IP in the same subnet but outside of the router's DHCP range.

Posted

Seems like SMC has put in a real low number for the maximum incomming connections per second or what it considers to by connections for a SYN-flood. Firmware up to date? Can you edit it somewhere?

Posted

DHT and UPnP is talked about in the µTorrent FAQ. It's especially important to read the FAQ if you're having problems.

If you're REALLY getting a SYN Flood on the old port, you better change ports pretty soon...or your computer may not be able to access here again to ask for further help!

Posted

What might help in such a situation is sending back ICMP Port Unreachable, unfortunately, firewalls are keen to block these and I'm not sure many p2p-apps implement listing for them anyway :-(

Posted

well dont know.. at this time.. i dont see anytime the log of the router.. so.. i dont know if is a normal situation

but.. today.. the log of the router... have any lines, like:

**TCP FIN Scan** x.x.x.x, port ->> local ip, 32459(from ATM1 Inbound)

**Smurf** x.x.x.x, port ->> local ip, 32459(from ATM1 Inbound)

so.. dont know if is normal or not.. but.. the in the router.. the port 32459 have open, and in the firewall of the pc, utorrent have permission

------

i modify XP to admit 100 connections, and in utorrent I have 200, perhaps that excess of connections, causes that router it rejects them and considers flood?

Posted

I think some p2p-software uses TCP FIN scans to see if hosts are still online, but it could also just be some sort of port scan or attack. Smurf-attacks are DoS-attacks, using ICMP-echo's and broadcast addresses, but that doesn't make sense as you logfile seems to talk about TCP/UDP packets for the Smurf-attack?

Posted
i modify XP to admit 100 connections, and in utorrent I have 200, perhaps that excess of connections, causes that router it rejects them and considers flood?

You are probably talking about half-open connections -- which is how many NEW connections to make at once. Even a value of 50 is pretty much excessive, as that means make 50 new connections possibly every couple seconds. The default of 8 works just fine -- I even reduced mine to 4.

µTorrent's half-open connection rate simply MUST be lower than Win XP's or there will be all kinds of problems!

Posted
i modify XP to admit 100 connections' date=' and in utorrent I have 200, perhaps that excess of connections, causes that router it rejects them and considers flood?[/quote']

You are probably talking about half-open connections -- which is how many NEW connections to make at once. Even a value of 50 is pretty much excessive, as that means make 50 new connections possibly every couple seconds. The default of 8 works just fine -- I even reduced mine to 4.

µTorrent's half-open connection rate simply MUST be lower than Win XP's or there will be all kinds of problems!

well.. what u think... in your oppinion.. that is the best config to ADSL 1M(down) to

1-global max connections

2-maximun number of connected peers per torrent

3-number of upload slots per torrent

4-max number of active torrents (upload or download)

5-max number active downloads

so.. i have

1-200

2-50

3-4

4-4

5-4

and.. in the xp, with "xp antispy" i modify the connections to 100

so.. dont know if this connectios are related to points 1 and 2

well.. i go to search into the faq

I think some p2p-software uses TCP FIN scans to see if hosts are still online, but it could also just be some sort of port scan or attack. Smurf-attacks are DoS-attacks, using ICMP-echo's and broadcast addresses, but that doesn't make sense as you logfile seems to talk about TCP/UDP packets for the Smurf-attack?

dont know.. is the first time that with a p2p program.. i see the router-log

so.. dont know if is a normal log.. or somebody try to attack me, or down my router.. or.. dont know..

Posted

"and.. in the xp, with "xp antispy" i modify the connections to 100"

That is probably the half-open connection limit rather than total connections.

Did you change any advanced settings in µTorrent?

Posted

no dont change any advanced settings.. the box says "DONT CHANGE" :)

well maybe dont be anything important.. just i try to know.. so.. then the xp connections.. dont are related, not?

Posted

silly? :)

maybe :P

so.. the last question.. i promise dont disturb more.. at the moment :P

so.. utorrent 1.6 into the logger tab.. write.. every 20 minutes +-

upnp: port x is already mapped, not re-mapping

is normal? utorrent 1.5 only say that at start

and.. in enable UPnp port mapping check or not?

thanks, and please sorry for all :)

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...