SYN Flood (DOS Attack) from my MacBook Pro

[london.matthews]

Hello,

I'm hoping someone here can help me, as I'm at my wit's end with this issue.

About a week ago, after returning from a business trip to Texas, I started experiencing extreme lag/freezing with my Internet connection. (I use Time Warner high-speed internet.) What would happen is that my internet would run at normal speed for a couple of minutes, then suffer severe lag (pages would not load, partially load or just time out before loading) for several minutes. Then things would return to normal for a minute or two, only for the process to repeat itself.

I've been on the phone with Time Warner 6-7 times in the last week. Initially, they just changed the "channel" of my router. After the second call, they sent a technician out who checked all of the fittings and replaced the router.

Three days ago, I had to call Time Warner again because the issue was still not resolved. The Level 3 tech who I spoke to told me that he was seeing activity consistent with a "denial of service" attack coming from the one PC (an HP laptop) that I have here at the house. He instructed me to turn off that machine, which I did.

For about 12 hours, it seemed like this was the solution. Then, yesterday, I began having the exact same problems. Note that the HP laptop has been turned off this entire time.

Once again, I got on the phone with Time Warner. This time, the tech tells me that the suspicious IP address is one of my MacBook Pros (again, based on the IP address). We changed the network name, the network password, etc... So at this point, all devices were disconnected from the network. Then he had me add on just one device (my MacBook Pro which I use most frequently) back to the network.

For an hour, it ran fine. Then, BAM... massive slowdown once again. I logged into the router settings and in the logs, I can see where it is hitting the router with SYN Flood. There are two listed --- one where the count is 94 and one where the count is 25. There are also a couple of "TCP-or UPD-based Port Scans" listed as well.

I've been doing some Googling and I found an article which indicated that I could use a Terminal command (lsof -i) to see all active connections. I have done that and it returns a long list of commands, the large majority (at least 80) of which are listed as "Google." Some of these commands have site names like tribalfusion.com, amazonaws.com and cloudfront.net associated with them. I saved this info to a PDF file, and I am happy to post it here... just was not sure if doing so would be exposing any personal information.

I'm at a loss of what to do next. I did download and install ClamXav per the advice found on another board. I ran a scan on my machine and, while it found 376 errors, it says there are 0 infected files.

Can anyone help? Time Warner is sending another technician out tomorrow, but I doubt that he/she will be able to do much as this appears to be an issue with my machine and not so much with my router/network. Maybe I'm wrong about that... I don't know at this point.

Any help/advice would be very much appreciated. Thanks.

 

[S.B.G]

What is your current network setup? Do you have any switches in it, what kind of router do you have?

One other possible cause is a broadcast storm. It could come from a switch acting up or misconfigured.

 

[london.matthews]

What is your current network setup? Do you have any switches in it, what kind of router do you have?

One other possible cause is a broadcast storm. It could come from a switch acting up or misconfigured.

Hi, thanks for the fast reply. The new modem/router is a NetGear CGD24G.

I'm not sure how to answer your questions about my current network setup and whether I have any switches in it.

I do have access to the router settings via the 192.168.0.1 login, so if you are able to tell me what I should be looking for, I'll be happy to do so.

Thanks.

 

[S.B.G]

Hi, thanks for the fast reply. The new modem/router is a NetGear CGD24G.

I'm not sure how to answer your questions about my current network setup and whether I have any switches in it.

I do have access to the router settings via the 192.168.0.1 login, so if you are able to tell me what I should be looking for, I'll be happy to do so.

Thanks.

A switch is a physical device, much like a router. So you probably have a cable modem connected to the Netgear router, and if you have a switch, it would be connected between the router and your computer(s).

Also, has your ISP reset your IP address to a different one through all of this?

 

[london.matthews]

A switch is a physical device, much like a router. So you probably have a cable modem connected to the Netgear router, and if you have a switch, it would be connected between the router and your computer(s).

Also, has your ISP reset your IP address to a different one through all of this?

I just have the one device. It is a modem/router. The cable feeds from the wall directly to the router which then distributes the signal wirelessly. I have the option of plugging an ethernet cable into it and connecting that way (which I did this past weekend when we were troubleshooting) but everything is connected wirelessly.

I do not believe we've reset the IP address at any point. We did clear the DHCP Leases today, but I think that is probably something different, yeah?

 

[S.B.G]

I just have the one device. It is a modem/router. The cable feeds from the wall directly to the router which then distributes the signal wirelessly. I have the option of plugging an ethernet cable into it and connecting that way (which I did this past weekend when we were troubleshooting) but everything is connected wirelessly.

I do not believe we've reset the IP address at any point. We did clear the DHCP Leases today, but I think that is probably something different, yeah?

Okay, it probably wasn't a broadcast storm then. Your modem/router has a public IP and if someone was targeting your IP or a range of IP's (with yours in it), your ISP (Time-Warner) should reset your public IP to something different. Sometimes depending on the ISP, you can just unplug your modem for 15-30 minutes and when you plug it back in, it will get a new IP.

I have to think through all you've done already with them, that they'd have done this already.

 

[london.matthews]

Sometimes depending on the ISP, you can just unplug your modem for 15-30 minutes and when you plug it back in, it will get a new IP.

I have to think through all you've done already with them, that they'd have done this already.

Minutes? Or seconds? If the latter, we've done this multiple times. (It is pretty much the first thing they make me do every time I call, no matter how many times I ask to just be escalated straight to Level 3 or try to give them the case number.) I can certainly unplug it for 30 minutes tonight if you think that will make a difference.

 

[S.B.G]

Minutes? Or seconds? If the latter, we've done this multiple times. (It is pretty much the first thing they make me do every time I call, no matter how many times I ask to just be escalated straight to Level 3 or try to give them the case number.) I can certainly unplug it for 30 minutes tonight if you think that will make a difference.

Maybe the dynamic IP change is a bit faster these days. I doubt leaving it unplugged for 30 minutes would make a difference, considering they've had you do this each time.

 

[freejazz-man]

the TWC modem is probably NATing anyway, I doubt you have a public IP and I doubt you actually have a virus seeing as TWC thought it was two different computers.

do you have the same browsing issue with the HP laptop?

why don't you do traceroute when it's slow to see if the delay is local or remote?

 

[london.matthews]

the TWC modem is probably NATing anyway, I doubt you have a public IP and I doubt you actually have a virus seeing as TWC thought it was two different computers.

do you have the same browsing issue with the HP laptop?

why don't you do traceroute when it's slow to see if the delay is local or remote?

UPDATE (but still no resolution): Time Warner sent technician back yesterday morning. It was the same technician as last time. He called to tell me that he was here and was going to work on the line first, then called again 30 minutes later to tell me that they were done and he was leaving. Never even came inside... though I guess that would not have made much of a difference. He did say something about them possibly having an issue in the area (evidently one of my neighbors saw him and told him that her Internet was having problems as well). Told me that he'd escalate this to a supervisor and they'd get back to me. Haven't heard anything back yet.

Since that time, I've been toggling different settings on my router. I read elsewhere that turning on "Filter Proxy," "Filter Cookies" and "Block Fragmented IP Packets" might provide some resolution. I did try this and, for a little while, thought it actually solved the problem, but I've experienced a couple of SYN FLOODS since then. (I have since returned to the router settings and disabled these settings again.)

The only positive news that I have to report so far is that I did try an experiment. I brought a Mac into the house that has never been connected to this network before. It is a fairly new machine and I think the probability that its been exposed to spyware/malware/virus is zero. I turned off all other connections and then connected the "new" Mac. Within a few minutes, I was seeing SYN FLOOD messages in the router log with the IP address of the new machine. My thinking is that this establishes that the issue cannot possibly be with my computer(s).

----------

why don't you do traceroute when it's slow to see if the delay is local or remote?

I'm not sure what NATing is. I'll Google it but if you see this and don't mind replying, that would be great.

Can you tell me how to run a traceroute?

----------



----------

One more question. I keep reading online that a potential solution to this problem is to change "TCP Maximum Incomplete" from a value of 10 to a higher number (usually cited as a number between 20 and 50).

I've been through all of my router settings and not seeing anything like this. Any ideas as to where this might exist? I'm using Netgear's model CGD24G.

 

[london.matthews]

Any chance this (see screenshot) could be the cause of my problems? I'm seeing in another forum that "leaving it on, you can be the very unlucky recipient of a DOS attack."

Ramifications of turning it off?

 

[freejazz-man]

WAN is the ISP side of your router, so unless the DDOS is coming from their network I doubt it.

I worked as a computer security analyst in the private sector and the public sector for a number of years. I'm positive you aren't causing or receiving a SYN flood. If anything it's a misconfig on some hardware. It really just sounds like some dinky hardware from TWC and some dumb techs - par for the course from them.

Do you manage the router or is it TWC's property? It definitely sounds like there are some messed up settings on the router, but honestly, you shouldn't even have access to the max TCP incomplete window. You might want to try a different router. I like ACER

NAT is network address translation, it translate non-routable IPs (10.x, 192.168.x, 172.16.x) to internet routable IPs. So TWC probably has you on a private address already, that gets translated to a public IP on their network. If you ask TWC for a static IP, they will assign a static IP to your modem, and then you need to NAT with the router. This is just information for you as you asked (nicely I might add , it's not really relevant to your issue - I don't think.

 

[london.matthews]

WAN is the ISP side of your router, so unless the DDOS is coming from their network I doubt it.

I worked as a computer security analyst in the private sector and the public sector for a number of years. I'm positive you aren't causing or receiving a SYN flood. If anything it's a misconfig on some hardware. It really just sounds like some dinky hardware from TWC and some dumb techs - par for the course from them.

Do you manage the router or is it TWC's property? It definitely sounds like there are some messed up settings on the router, but honestly, you shouldn't even have access to the max TCP incomplete window. You might want to try a different router. I like ACER

NAT is network address translation, it translate non-routable IPs (10.x, 192.168.x, 172.16.x) to internet routable IPs. So TWC probably has you on a private address already, that gets translated to a public IP on their network. If you ask TWC for a static IP, they will assign a static IP to your modem, and then you need to NAT with the router. This is just information for you as you asked (nicely I might add , it's not really relevant to your issue - I don't think.

Thanks for the info. The router is Time Warner's. Issues persist.

 

[freejazz-man]

it's the router, call them up and get it changed. maybe just reset it.

don't let them run you around with it being your computer. lazy techs do that all the time, and if you don't have the expertise to put them in their place then it is tough

 

[london.matthews]

it's the router, call them up and get it changed. maybe just reset it.

don't let them run you around with it being your computer. lazy techs do that all the time, and if you don't have the expertise to put them in their place then it is tough

I tried resetting the router yesterday by unplugging it for 40 minutes. When I plugged it back in, the SYN Flood stuff started up again almost immediately.

I can have TW come and swap routers again, but my concern here is that they've already done this once (after my initial complaint to them about this problem). Seems like it would require an extraordinarily large coincidence for same problem to exist on both routers (which were entirely different manufacturers, incidentally). I'm certainly not opposed to trying it (or buying my own router)... just want to make sure I've considered all options first.

I was actually feeling pretty good when I got online this morning because, yesterday I went into the router settings and tried one last thing. Under "Remote Management" (which is enabled) I changed the port number from 80 to another number. I did this because I read elsewhere the a part number of 80 is basically an invitation to hackers to launch DOS attacks. The SYN FLOOD that I was experiencing at the time came to a halt instantly. And despite me using the Internet for another 3-4 hours last night, I never had another instance all night long. (Several TCP- or UDP-based Port Scans, but no SYN floods and no slowdowns in internet speed.)

Alas, about five minutes before posting this message, I checked the log again and I see that I just had a SYN flood this morning. So apparently that was not the fix after all.

 

[freejazz-man]

yeah, I wouldn't worry about the port that the remote administration runs on anyway

there are two interfaces on a router, internal and external. You are internal, therefore if the hackers were attacking port 80, it would be external.

Is there wifi?

 

[london.matthews]

Is there wifi?

Are you asking if I use wifi? If so, yes... in fact, all of my devices are connected wirelessly. While troubleshooting these past 2 weeks, I have attempted to connected to the Netgear modem/router with an ethernet cable (just so that we can try to rule various things out) but it made no impact at all.

 

[freejazz-man]

that's bizarre

you gotta work it out with TWC, don't let them tell you it's your computer. It's clearly any computer in your house. Heck, go buy a netbook to shut them up.