1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to keep Terminal related Hacking out of a Local network

Discussion in 'Networks' started by computer, Nov 17, 2013.

  1. computer

    computer New Member

    6
    0
    1
    There are three Mac computers attached to a wired Netgear router. Without attempting to confront a user how can I prevent misuse of network bandwidth so that other computers will remain unaffected?

    Can this be accomplished without the use of an expensive external firewall?

    Thank you in advance!
     
  2. zxspectrum

    zxspectrum Gigabyte Poster Premium Member

    1,666
    54
    139
    Surely there are some restrictions you can put in here. How are they logging on, do they not have certain credentials etc? and can you not use their mac address against them, or block the site they are using???

    Im sure the others will come in with better solutions later.

    Personally look at it this way, if its through a company or educational institute and they are downloading illegal material, i think you may have an obligation under law to stop them, now that really needs to be confronted, id be over there like a shot.

    Ed
     
    Certifications: BSc computing and information systems
    WIP: 70-680
  3. computer

    computer New Member

    6
    0
    1
    Since the computer is a MacBook Pro and is privately owned I really have no way of direct access other than over the network. Is there a way to search for and prevent things like SSH tunneling etc. The router currently is an Rp614v4 web safe. I realize that this is a very basic piece of hardware and if properly directed I would be more than happy to replace if need be. This is for residential house hold and not commercial.
     
  4. zxspectrum

    zxspectrum Gigabyte Poster Premium Member

    1,666
    54
    139
    Im sure there is a way to do some mac address filtering

    Although im not totally sure how you go about it.

    Are you savvy with anything technical, id log into the routers homepage, where all the details will be on the back of the router, i mean the page will be something like 192.168.1.1 and the admin and password will be something like admin, password, depending on the router. You can search for these on google by looking for your specific router etc.

    But if your not sure what to do id leave it and find someone who knows etc

    Ed
     
    Certifications: BSc computing and information systems
    WIP: 70-680
  5. dmarsh

    dmarsh Terabyte Poster

    3,782
    302
    184
    Most SOHO routers do indeed have basic firewall functionality that includes blacklist/whitelist of MAC addresses.

    You can also limit number DHCP leases etc.

    If you are lucky you might be able to block by port number also.

    You can set up WPA security and have a non broadcast SSID, that means users on the wi-fi access point must have the SSID and the password you give them, if the users don't share this information with the culprit then you should be ok.

    You could set up some sort of RADIUS or HTTP proxy to limit net access but this is not typically worth it for residential dwelling.

    SSH uses SSL so you cant do any kind packet inspection and SOHO routers don't support this.

    You can install personal firewalls and lock down each pc on the network also, to try to prevent attacker getting access. Thing you need to do is fully patch them and make sure security settings are correct and SMB shares aren't open etc.
     
    Last edited: Nov 17, 2013
    Certifications: CITP, BSc, HND, SCJP, SCJD, SCWCD, SCBCD, SCEA, N+, Sec+, Proj+, Server+, Linux+, MCTS, MCPD, MCSA, MCITP, CCDH
  6. computer

    computer New Member

    6
    0
    1
    Can you provide me with the steps I would need to take to secure the computers? I do not have access to the offending laptop so modifying settings would be out of the question. I will be reformatting the to main computers, but I see this as a poor choice when they still maybe able to reconfigure. The worst thing I could do is be counter productive when I prefer to do it once.

    One thing that I am still trying to get my head around is whether or not they are limiting bandwidth (if its possible with a terminal command), or if the lack of speed is a resultant of something they setup. Is it possible to limit bandwidth of other computers using terminal over the network without having access to them? If I were to purchase a router with a switch/QoS would this remedy this situation through the addition of external hardware?

    If they have somehow configure settings of other computers to make it more favorable for them, is there a way to maintain a network that has no other devices except the three computers while making sure they cannot communicate with one another. I would like to not only remedy this problem, but also ensure that I have a plug and play option for any future attempts.

    Please let me know what you would suggest. I should also mention that this network is currently running at 1 mb upload and 15 download. The owner does not want to upgrade because of the fact that for normal purposes the bandwidth should be sufficient. Besides it would only mask the problem and promote what ever it is they are currently getting away with.
     
    Last edited: Nov 17, 2013
  7. dmarsh

    dmarsh Terabyte Poster

    3,782
    302
    184
    As mentioned a non broadcast SSID and WPA2 security should keep most people out. Who is this guy with the macbook? Is the Wi-Fi secured ? If it is secured how did he gain access ?

    If he managed to get the Wi-Fi password by social engineering, just reset it to a different value and inform the residents not to share passwords.

    I expect he is just doing network intensive operations and there is no QoS on the router, therefore degrading everyone elses experience. The point of a network is allow the computers to communicate, you can install personal firewalls or set up VPN's but for a small home, VPN is overkill.

    It is possible to configure computers and routers remotely, they could do lots of things in theory, in reality if they aren't an above average hacker its unlikely.

    Some sort of QoS function on the router does sound like what you are asking for. You probably need a new router with QoS or maybe try something like dd-wrt.

    I'm not a networking or security expert, I suspect someone else may have some thoughts on this.
     
    Last edited: Nov 18, 2013
    Certifications: CITP, BSc, HND, SCJP, SCJD, SCWCD, SCBCD, SCEA, N+, Sec+, Proj+, Server+, Linux+, MCTS, MCPD, MCSA, MCITP, CCDH
  8. computer

    computer New Member

    6
    0
    1
    It is a netgear WIRED router. Is there a way to connect three computers while managing bandwidth of IP addresses (or ports), and also keep computers from communicating with each other? There are no printers or any attached devices so there really is no reason to have connectivity between computers.
     
  9. BraderzTheDog

    BraderzTheDog Kilobyte Poster

    276
    2
    49
    Hi,

    If you are using a netgear router I would imagine the ports are actually only working at Layer 2. Ideally what you want to be doing is logically separating the computer in question from the others, by doing this you can then setup basic policies to only allow certain ports for legitimate purposes; E.g. RDP 3389.

    Having said that you may be able to do some MAC filtering as said before, if not you may be able to create two VLAN's and add the machine in question into its own VLAN. Once you have done that you will have separated the broadcast domains so the client wont be able to go directly, only via the router part of the netgear. This is where you can apply a policy before the packet is routed to the VLAN stopping this from happening.

    In my honest opinion, as a network engineer... I would say you aught to look into the purchase of a firewall. Something simple like a Juniper SSG5 or even something older like a Netscreen 25 (cost of around £20 - 30 ebay). You will be able to apply policies on a zone basis and only allow legal traffic between hosts.

    I think you may be lacking some level of control in your network.

    Regards,
    Brad.
     
    Last edited: Nov 20, 2013
    Certifications: CCNA R&S, CCNA-SEC, CCSA, JNCIA FWV, MCITP, MCTS, MTA, A+
  10. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,190
    296
    319
    Based on what hardware you are using.

    Create a firewall rule that only allows port 80,443 and port 53 from LAN -> WAN. This will stop any unusual ports connecting out.

    Check the log file on the firewall – see if there is anything useful in terms of connections to the firewall that might be causing speed issues. The email log can be emailed to you automatically as well.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  11. computer

    computer New Member

    6
    0
    1
    These are the logs from today please let me know if there is anything suspicious.


    Sunday,24 Nov 2013 01:45:29 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:45:29 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:45:40 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:45:41 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:45:41 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:45:45 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:45:47 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:45:56 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:45:56 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:06 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:06 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:08 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:08 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:10 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:10 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:13 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:13 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:15 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:15 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:18 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:18 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:18 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:20 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:20 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:21 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:27 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:27 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:35 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:42 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:42 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:43 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:43 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:44 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:45 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:46 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:47 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:47 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:47 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:50 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:50 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:51 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:55 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:55 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:46:56 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:47:02 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:47:21 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:47:23 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:47:23 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:47:32 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:47:32 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:47:33 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:47:33 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:47:34 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:47:35 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:47:58 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:47:59 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:48:03 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:48:10 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:48:10 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:48:11 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:48:36 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:48:39 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:48:41 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:48:46 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:48:54 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:49:11 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:49:11 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:49:13 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:49:14 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:49:24 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:49:44 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:49:48 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:49:49 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:49:49 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:50:00 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:50:28 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:50:29 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:50:29 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:50:31 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:50:32 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:50:38 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:50:38 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:50:39 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:50:39 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:50:40 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:50:43 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:50:45 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:50:53 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:51:03 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:51:03 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:51:15 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:51:29 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:51:29 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:51:43 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:51:44 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:51:45 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:51:49 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:51:49 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:51:50 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:51:50 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:51:52 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:51:53 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:51:53 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:51:54 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 01:51:55 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:51:47 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:51:47 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:11 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:12 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:12 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:13 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:14 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:14 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:15 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:17 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:17 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:18 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:19 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:20 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:22 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:27 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:27 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:28 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:28 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:29 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:36 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:36 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:37 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:37 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:38 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:41 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:41 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:42 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:42 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:43 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:43 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:48 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 02:53:48 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 13:01:19 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 13:01:34 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 14:32:42 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 15:21:19 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 16:44:53 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 21:32:53 Authentication attempt failed for admin from 192.168.1.2 because: Bad Password
    Sunday,24 Nov 2013 21:32:59 Authentication successful for admin from 192.168.1.2
    Sunday,24 Nov 2013 21:41:54 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 21:42:50 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 21:42:50 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 21:42:51 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 21:42:54 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 21:42:54 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 22:01:33 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 22:17:38 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 22:17:38 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Sunday,24 Nov 2013 22:25:46 Authentication successful for admin from 192.168.1.2
    Monday,25 Nov 2013 00:08:26 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Monday,25 Nov 2013 00:08:26 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Monday,25 Nov 2013 00:08:58 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Monday,25 Nov 2013 00:15:27 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Monday,25 Nov 2013 00:18:41 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Monday,25 Nov 2013 00:18:42 [TCP SYN Flood][Deny access policy matched, dropping packet]
    Monday,25 Nov 2013 00:18:43 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Monday,25 Nov 2013 00:22:32 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Monday,25 Nov 2013 00:24:15 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Monday,25 Nov 2013 00:25:52 [TCP Stealth FIN Port Scan][Deny access policy matched, dropping packet]
    Monday,25 Nov 2013 01:04:57 Authentication successful for admin from 192.168.1.2

    What is stealth fin port scan and TCP SYN Flood?

    I will try to remember to take a screen shot of each page in the router setup so that you can better direct me. Thank you again for your replies and I hope that I can get to the bottom of this.
     
  12. BraderzTheDog

    BraderzTheDog Kilobyte Poster

    276
    2
    49
    Hi there,

    A SYN Flood is basically an exploit within TCP that can cause network devices to go down.

    I'm not sure if you know TCP well, but when a connection is initiated there are three stages (known as the three way handshake). First connection is known as sending a SYN, the reply would be a SYN-ACK the third is an acknowledgement of the SYN-ACK, called an ACK.

    Lets say theoretically I am an attacker, and I want to take down a server or a service. I could initiate a SYN-Flood Attack. From my machine I could use a program such as backtrack to send a load of TCP SYN requests to a server. Normally the server would reply to me with a SYN-ACK and then I would confirm the reply again with an ACK. However, with this attack I send a load of SYN's to the sever... But when the server replies, I ignore these. Meaning the session table on the server starts to fill up because it can't close connections for X ammount of time. If I send enough SYN's to fill the session table no more connections will be able to reach the server. Causing legitimate traffic to be dropped.

    This will basically create a network outage. Having said all that... I do see this message quite alot, and its usually legitimate traffic. The router or firewall has just triggered this alert because of the way a) the device handles the packet / and/or b) the way the firewall or router inspects the packet.

    More info;

    SYN flood - Wikipedia, the free encyclopedia
     
    Certifications: CCNA R&S, CCNA-SEC, CCSA, JNCIA FWV, MCITP, MCTS, MTA, A+

Share This Page

Loading...