Results 1 to 9 of 9

Thread: Attempt made to hack my home WLAN (I think)

  1. #1
    Join Date
    Mar 2008
    Location
    Phuket, Thailand
    Posts
    26,595
    Blog Entries
    38

    Default Attempt made to hack my home WLAN (I think)

    Two nights ago around midnight, I believe a user in the neighbourhood tried to break into my WLAN. It irritated the heck out of me.

    It was on my wife's PC (which is normally the only wireless PC in our apartment, as our laptop is mostly at my wife's place of work) and around midnight I started a software update on her PC, just before my going to bed. Within a few minutes of the software update, the process stalled, and eventually timed out. I noted her browser also timed out at the same time, so I checked her wireless connection and saw it was down. I tried a bit to get it going via kdenetwork manager, then via YaST > Network devices, and when that failed I rebooted her PC and tried windows. The same problem. I rebooted by to Linux, same problem. .... I messed around a bit more, rebooted another time, ... and then I then went to our router and checked the router's configuration (which was correct) and the router's logs ...
    Code:
    ....... snipped .......
    27.07.2008 23:58:11 sende ACK an 192.168.2.100
    27.07.2008 23:57:43 sende ACK an 192.168.2.100
    27.07.2008 23:57:41 sende OFFER an 192.168.2.100
    27.07.2008 23:57:29 sende OFFER an 192.168.2.100
    27.07.2008 23:56:21 sende ACK an 192.168.2.100
    27.07.2008 23:56:18 sende OFFER an 192.168.2.100
    27.07.2008 23:47:10 **SYN Flood to Host** 85.190.0.3, 41927->> 79.216.215.8, 1098 (von PPPoE1 - Eingang)
    27.07.2008 23:46:55 DDNS> Vorgang abgeschlossen, DDNS IP=79.216.215.8
    27.07.2008 23:46:33 NTP Datum und Uhrzeit wurden aktualisiert.
    I'm not a German speaker but this "SYN Floot to Host" suggests to me a denial of service attack on our WAN, in order for some user to try hack into our WPA encrypted LAN as they have increased the protocol exchange between the router and my wife's PC.

    Since it was midnight, I decided it was more important to get sleep than anything else, so I simply switched OFF the router, and went to bed. In the morning, the WLAN worked perfectly! (which makes me think the jerk who was trying to hack our WLAN went to bed).

    I've changed our WLAN password, but the episode left me rather seething ....

  2. #2
    Join Date
    Mar 2008
    Location
    Phuket, Thailand
    Posts
    26,595
    Blog Entries
    38

    Default Re: Attempt made to hack my home WLAN (I think)

    Quote Originally Posted by oldcpu View Post
    I'm not a German speaker but this "SYN Flood to Host" suggests to me a denial of service attack on our WAN, in order for some user to try hack into our WPA encrypted LAN as they have increased the protocol exchange between the router and my wife's PC.
    Further to the above, I have read:

    SYN Flood Attack - An assault on a network that prevents a TCP/IP server from servicing other users. It is accomplished by not sending the final acknowledgment to the server's SYN-ACK response (SYNchronize-ACKnowledge) in the handshaking sequence, which causes the server to keep signaling until it eventually times out. The source address from the client is, of course, counterfeit. SYN flood attacks can either overload the server or cause it to crash.

    "SYN FLOOD Attack" is not quite the same as "SYN Flood to Host" but it looks awfully similar.

  3. #3
    Join Date
    Jan 2008
    Location
    U.K East Anglia
    Posts
    2,581

    Default Re: Attempt made to hack my home WLAN (I think)

    best thing to do, as well as using WPA,set up MAC address filtering on the wireless router. That is what i do,as i have a lot of script-kiddies in my area ( now even more as it's the school holidays ) works a treat. Also, don't forget,some browsers open several "pipes" to the internet,so check how many connections your browser is making. If in Firefox,do the about:config in the address bar & look for this line network.http.max-connections-per-server & make sure it is not too high, i find 15 is enough

    Andy
    Last edited by deltaflyer44; 29-Jul-2008 at 00:35.

  4. #4
    Join Date
    Mar 2008
    Location
    Bochum, Germany
    Posts
    3,587

    Default Re: Attempt made to hack my home WLAN (I think)

    * oldcpu,

    is that a German Telekom router? Some of them have a kind of bizarre feature, it seems: When you open more than X connections to the same server, it thinks you are attacking that server and closes the connection, protecting the internet from you.

    If that's the case, see if you can set the syn flood protection on the router to a higher value, or disable it for testing purposes.

    HTH
    Uwe

  5. #5
    Tilman Schmidt NNTP User

    Default Re: Attempt made to hack my home WLAN (I think)

    oldcpu schrieb:
    > --------------------
    > ....... snipped .......
    > 27.07.2008 23:58:11 sende ACK an 192.168.2.100
    > 27.07.2008 23:57:43 sende ACK an 192.168.2.100
    > 27.07.2008 23:57:41 sende OFFER an 192.168.2.100
    > 27.07.2008 23:57:29 sende OFFER an 192.168.2.100
    > 27.07.2008 23:56:21 sende ACK an 192.168.2.100
    > 27.07.2008 23:56:18 sende OFFER an 192.168.2.100
    > 27.07.2008 23:47:10 **SYN Flood to Host** 85.190.0.3, 41927->> 79.216.215.8, 1098 (von PPPoE1 - Eingang)
    > 27.07.2008 23:46:55 DDNS> Vorgang abgeschlossen, DDNS IP=79.216.215.8
    > 27.07.2008 23:46:33 NTP Datum und Uhrzeit wurden aktualisiert.
    > --------------------


    I don't think that looks like an attack on your WLAN. To begin
    with, the "SYN flood" your router claims to have detected came
    from the Internet to your public IP address, not from the Wireless
    interface. Secondly, the source address of said "SYN flood",
    85.190.0.3 belongs to proxyscan.freenode.net, Freenode's open
    proxy scanner, see http://freenode.net/policy.shtml#proxies for
    details.

    It looks rather like your router is overzealous in its attempts to
    detect and block "attacks", thereby cutting off legitimate traffic.
    That behaviour is unfortunately rather common in consumer routers.
    If your router's configuration menus offer a possibility to switch
    off "SYN flood detection" I guess you'll be better off doing that.

    HTH
    T.

    --
    Tilman Schmidt
    Phoenix Software GmbH
    Bonn, Germany

  6. #6
    Join Date
    Mar 2008
    Location
    Phuket, Thailand
    Posts
    26,595
    Blog Entries
    38

    Default Re: Attempt made to hack my home WLAN (I think)

    Quote Originally Posted by buckesfeld View Post
    is that a German Telekom router?
    Yes, its a rather limited Speedport W700V (V2) provided/owned by T-Online.
    Quote Originally Posted by buckesfeld View Post
    Some of them have a kind of bizarre feature, it seems: When you open more than X connections to the same server, it thinks you are attacking that server and closes the connection, protecting the internet from you.
    But we had only one PC using the wireless. We can see a half dozen or so other wireless signals from our flat.

    Quote Originally Posted by buckesfeld View Post
    If that's the case, see if you can set the syn flood protection on the router to a higher value, or disable it for testing purposes.
    Ok thanks, I see "Tilman Schmidt" suggests something similar:

    Quote Originally Posted by Tilman Schmidt View Post
    I don't think that looks like an attack on your WLAN. To begin with, the "SYN flood" your router claims to have detected came from the Internet to your public IP address, not from the Wireless interface.
    That puzzled me too. ... Although that is the log after my having switched the router OFF once, and was still experiencing what I "thought" to be a continuation of an attack. Hindsight being 50-50, I should have looked at and kept the log before the 1st switch OFF.

    Quote Originally Posted by Tilman Schmidt View Post
    Secondly, the source address of said "SYN flood", 85.190.0.3 belongs to proxyscan.freenode.net, Freenode's open
    proxy scanner, see freenode: Policies for
    details.
    I had an IRC chat session (via freenode) running on a wired PC, on a wired LAN (also connected to same router) at the time, ... I would hope that could not affect the wireless on the router?

    Quote Originally Posted by Tilman Schmidt View Post
    It looks rather like your router is overzealous in its attempts to detect and block "attacks", thereby cutting off legitimate traffic. That behaviour is unfortunately rather common in consumer routers.
    We have used a Level One router in the past, and never experienced this before. As noted, switching OFF the router overnight (from about midnight to 8am) did clear the problem. And I note the problem still has not re-occurred (yet).

    Quote Originally Posted by Tilman Schmidt View Post
    If your router's configuration menus offer a possibility to switch off "SYN flood detection" I guess you'll be better off doing that.
    I'll go through the menu's with my English/German dictionary, and see what I can come up with.

    Thanks for the suggestions.

  7. #7
    Join Date
    Jun 2008
    Location
    Orlando
    Posts
    16

    Default Re: Attempt made to hack my home WLAN (I think)

    Hmmm, had a problem when openSUSE10.3 came out with updating. Same thing, never bothered checking the log but it froze up then timed out everything. Something to do with all the add'l ports that are being opened in order to receive the downloads. You may want to run a port scan on localhost next time you donwload a bunch of apps from the repos and see if that has something to do with it...

    Registered Linux User #419773

  8. #8
    Join Date
    Mar 2008
    Location
    Toronto, Canada
    Posts
    305

    Default Re: Attempt made to hack my home WLAN (I think)

    I'll second Tilman's opinion. SYN-flood attacks are obsolete, dating on the timeline with the ping-of-death. That's not to say it's not happening, but it would be surprising if someone targeted you specifically for one, I suspect your router is being overzealous.

    But to put your mind at ease, it's certainly not an attack on your wifi network. WPA is fairly secure from the script kiddies, as well, so no need to worry there, though you may want to change your PSK regularly. You'll run into more DoS simply from the proliferation of wifi networks, than actual attacks on your network (as I can attest, with 20 different wifi networks in range of my condo, it's a battle for signal bandwidth... )

    Cheers,
    KV

  9. #9
    Tilman Schmidt NNTP User

    Default Re: Attempt made to hack my home WLAN (I think)

    [Note: Somehow all your reply lines appear appended to the end of the
    last line of the preceding quote here. No idea why - I assume you didn't
    write them that way. :-) Perhaps spending an additional empty line to
    separate them would help.]

    oldcpu schrieb:
    > buckesfeld;1847389 Wrote:
    >> is that a German Telekom router? Yes, its a rather limited Speedport W700V (V2) provided/owned by

    > T-Online.


    Ah yes, I read a lot of complaints about that one in the T-Online
    newsgroups. Not trying to discourage you ...

    >> Some of them have a kind of bizarre feature, it seems: When you open
    >> more than X connections to the same server, it thinks you are attacking
    >> that server and closes the connection, protecting the internet from you.But we had only one PC using the wireless. We can see a half dozen or

    > so other wireless signals from our flat.


    A single PC can open many connections to the same server too, for example
    trying to automatically download updates in the background.

    > Tilman Schmidt;1847625 Wrote:
    >> Secondly, the source address of said "SYN flood", 85.190.0.3 belongs to
    >> proxyscan.freenode.net, Freenode's open
    >> proxy scanner, see 'freenode: Policies'
    >> (http://freenode.net/policy.shtml#proxies) for
    >> details. I had an IRC chat session (via freenode) running on a wired PC, on a

    > wired LAN (also connected to same router) at the time, ... I would hope
    > that could not affect the wireless on the router?


    No, it just explains why Freenode scanned you, triggering your Speedport's
    misguided SYN flood detection.

    >> If your router's configuration menus offer a possibility to switch off
    >> "SYN flood detection" I guess you'll be better off doing that.I'll go through the menu's with my English/German dictionary, and see

    > what I can come up with.


    I could help you with the German, but unfortunately I don't have access
    to a Speedport myself to have a look. I hope you'll figure it out.

    HTH
    T.

    --
    Tilman Schmidt t.schmidt@phoenixsoftware.de
    Phoenix Software GmbH www.phoenixsoftware.de
    Adolf-Hombitzer-Str. 12 Amtsgericht Bonn HRB 2934
    53227 Bonn, Germany Geschftsfhrer: W. Griel

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •