Syn_flood looking normal?

Installing and Using OpenWrt Network and Wireless Configuration
1

I’ve installed OpenWrt 18.06.0 on my Linksys E4200v2 and find it great.

image

I have noticed a rather large amount of syn_flood packets and this is ever increasing. The router has been up 9 days.

I have a pretty standard firewall. Are there any tips folks have to try to prevent flood attacks? Perhaps I need to disable ping replies on my external interface?

Any tips are appreciated!

2

First question is where they are coming from!

tcpdump (-mini is likely sufficient) filtering on those same flags and capture to a file would be how I'd approach it. You can either do it on the router, or from the ssh session on another machine.

You might be able to modify your firewall rules to log the packets' header information. At least for me, tcpdump is easier and doesn't change the device under test's configuration that is significant (usually).

1 Like
3

Six days uptime:

Screenshot%20from%202018-08-14%2015-50-25
Screenshot%20from%202018-08-14%2015-50-25894×46 3.3 KB

I've also added additional rules below that drop NEW TCP packets that are not SYNs:

Screenshot%20from%202018-08-14%2015-51-40
Screenshot%20from%202018-08-14%2015-51-40911×50 4.01 KB

I agree with @jeff, I'd check into where they are coming from.

I block this and only permit services that must ping me (e.g. HE.net's Tunnelbroker service). Many people I've mentioned this to in various forums always note that it doesn't "prevent" anything. I can identify 2 things:

  • Most scanners only using ICMP Request will not see your router
  • You cannot be DDoSed (i.e. your CPU running out of resources to route and NAT) with a ping of death

Also, I change all the default REJECT (sends ICMP-Unreachable) rules to DROP (silent). This prevents scanning for REJECTs sent from the router's firewall. It also prevents the creation of rejects, which can break traceroute in some configurations.

4

Not an iptables expert, but isn't tcp flags:0x17/0x02 a "normal" SYN, !ACK, !FIN, !RST packet from the start of TCP's three-way handshake?

If so, are you running any services on your machines that are expecting incoming connections?

1 Like
5

Correct.

I do...but you failed to notice the exclamation point (!)...meaning does not equal.

tcp flags: ! 0x17/0x02 cstate NEW

6

Thanks for the tips everyone. I did a quick tcpdump using some of these commands and I see nothing unusual, so I think perhaps I have nothing to worry about here.

tcpdump 'tcp[tcpflags] == tcp-syn or tcp[tcpflags] == tcp-ack' | grep -v MY_LAPTOP_NAME

# Check for pings
tcpdump -mini -i eth1.10 icmp