Attempt made to hack my home WLAN (I think)

Two nights ago around midnight, I believe a user in the neighbourhood tried to break into my WLAN. It irritated the heck out of me.

It was on my wife’s PC (which is normally the only wireless PC in our apartment, as our laptop is mostly at my wife’s place of work) and around midnight I started a software update on her PC, just before my going to bed. Within a few minutes of the software update, the process stalled, and eventually timed out. I noted her browser also timed out at the same time, so I checked her wireless connection and saw it was down. I tried a bit to get it going via kdenetwork manager, then via YaST > Network devices, and when that failed I rebooted her PC and tried windows. The same problem. I rebooted by to Linux, same problem. … I messed around a bit more, rebooted another time, … and then I then went to our router and checked the router’s configuration (which was correct) and the router’s logs …

....... snipped .......
27.07.2008 23:58:11 sende ACK an 192.168.2.100
27.07.2008 23:57:43 sende ACK an 192.168.2.100
27.07.2008 23:57:41 sende OFFER an 192.168.2.100
27.07.2008 23:57:29 sende OFFER an 192.168.2.100
27.07.2008 23:56:21 sende ACK an 192.168.2.100
27.07.2008 23:56:18 sende OFFER an 192.168.2.100
27.07.2008 23:47:10 **SYN Flood to Host** 85.190.0.3, 41927->> 79.216.215.8, 1098 (von PPPoE1 - Eingang)
27.07.2008 23:46:55 DDNS> Vorgang abgeschlossen, DDNS IP=79.216.215.8
27.07.2008 23:46:33 NTP Datum und Uhrzeit wurden aktualisiert. 

I’m not a German speaker but this “SYN Floot to Host” suggests to me a denial of service attack on our WAN, in order for some user to try hack into our WPA encrypted LAN as they have increased the protocol exchange between the router and my wife’s PC.

Since it was midnight, I decided it was more important to get sleep than anything else, so I simply switched OFF the router, and went to bed. In the morning, the WLAN worked perfectly! (which makes me think the jerk who was trying to hack our WLAN went to bed).

I’ve changed our WLAN password, but the episode left me rather seething …

Further to the above, I have read:

SYN Flood Attack - An assault on a network that prevents a TCP/IP server from servicing other users. It is accomplished by not sending the final acknowledgment to the server’s SYN-ACK response (SYNchronize-ACKnowledge) in the handshaking sequence, which causes the server to keep signaling until it eventually times out. The source address from the client is, of course, counterfeit. SYN flood attacks can either overload the server or cause it to crash.

“SYN FLOOD Attack” is not quite the same as “SYN Flood to Host” but it looks awfully similar.

best thing to do, as well as using WPA,set up MAC address filtering on the wireless router. That is what i do,as i have a lot of script-kiddies in my area ( now even more as it’s the school holidays :frowning: ) works a treat. Also, don’t forget,some browsers open several “pipes” to the internet,so check how many connections your browser is making. If in Firefox,do the about:config in the address bar & look for this line network.http.max-connections-per-server & make sure it is not too high, i find 15 is enough

Andy

  • oldcpu,

is that a German Telekom router? Some of them have a kind of bizarre feature, it seems: When you open more than X connections to the same server, it thinks you are attacking that server and closes the connection, protecting the internet from you.

If that’s the case, see if you can set the syn flood protection on the router to a higher value, or disable it for testing purposes.

HTH
Uwe

oldcpu schrieb:
> --------------------
> … snipped …
> 27.07.2008 23:58:11 sende ACK an 192.168.2.100
> 27.07.2008 23:57:43 sende ACK an 192.168.2.100
> 27.07.2008 23:57:41 sende OFFER an 192.168.2.100
> 27.07.2008 23:57:29 sende OFFER an 192.168.2.100
> 27.07.2008 23:56:21 sende ACK an 192.168.2.100
> 27.07.2008 23:56:18 sende OFFER an 192.168.2.100
> 27.07.2008 23:47:10 SYN Flood to Host 85.190.0.3, 41927->> 79.216.215.8, 1098 (von PPPoE1 - Eingang)
> 27.07.2008 23:46:55 DDNS> Vorgang abgeschlossen, DDNS IP=79.216.215.8
> 27.07.2008 23:46:33 NTP Datum und Uhrzeit wurden aktualisiert.
> --------------------

I don’t think that looks like an attack on your WLAN. To begin
with, the “SYN flood” your router claims to have detected came
from the Internet to your public IP address, not from the Wireless
interface. Secondly, the source address of said “SYN flood”,
85.190.0.3 belongs to proxyscan.freenode.net, Freenode’s open
proxy scanner, see http://freenode.net/policy.shtml#proxies for
details.

It looks rather like your router is overzealous in its attempts to
detect and block “attacks”, thereby cutting off legitimate traffic.
That behaviour is unfortunately rather common in consumer routers.
If your router’s configuration menus offer a possibility to switch
off “SYN flood detection” I guess you’ll be better off doing that.

HTH
T.


Tilman Schmidt
Phoenix Software GmbH
Bonn, Germany

Yes, its a rather limited Speedport W700V (V2) provided/owned by T-Online.

But we had only one PC using the wireless. We can see a half dozen or so other wireless signals from our flat.

Ok thanks, I see “Tilman Schmidt” suggests something similar:

That puzzled me too. … Although that is the log after my having switched the router OFF once, and was still experiencing what I “thought” to be a continuation of an attack. Hindsight being 50-50, I should have looked at and kept the log before the 1st switch OFF.

I had an IRC chat session (via freenode) running on a wired PC, on a wired LAN (also connected to same router) at the time, … I would hope that could not affect the wireless on the router?

We have used a Level One router in the past, and never experienced this before. As noted, switching OFF the router overnight (from about midnight to 8am) did clear the problem. And I note the problem still has not re-occurred (yet).

I’ll go through the menu’s with my English/German dictionary, and see what I can come up with.

Thanks for the suggestions.

Hmmm, had a problem when openSUSE10.3 came out with updating. Same thing, never bothered checking the log but it froze up then timed out everything. Something to do with all the add’l ports that are being opened in order to receive the downloads. You may want to run a port scan on localhost next time you donwload a bunch of apps from the repos and see if that has something to do with it…

I’ll second Tilman’s opinion. SYN-flood attacks are obsolete, dating on the timeline with the ping-of-death. That’s not to say it’s not happening, but it would be surprising if someone targeted you specifically for one, I suspect your router is being overzealous.

But to put your mind at ease, it’s certainly not an attack on your wifi network. WPA is fairly secure from the script kiddies, as well, so no need to worry there, though you may want to change your PSK regularly. You’ll run into more DoS simply from the proliferation of wifi networks, than actual attacks on your network (as I can attest, with 20 different wifi networks in range of my condo, it’s a battle for signal bandwidth… :wink: )

Cheers,
KV

[Note: Somehow all your reply lines appear appended to the end of the
last line of the preceding quote here. No idea why - I assume you didn’t
write them that way. :slight_smile: Perhaps spending an additional empty line to
separate them would help.]

oldcpu schrieb:
> buckesfeld;1847389 Wrote:
>> is that a German Telekom router? Yes, its a rather limited Speedport W700V (V2) provided/owned by
> T-Online.

Ah yes, I read a lot of complaints about that one in the T-Online
newsgroups. Not trying to discourage you …

>> Some of them have a kind of bizarre feature, it seems: When you open
>> more than X connections to the same server, it thinks you are attacking
>> that server and closes the connection, protecting the internet from you.But we had only one PC using the wireless. We can see a half dozen or
> so other wireless signals from our flat.

A single PC can open many connections to the same server too, for example
trying to automatically download updates in the background.

> Tilman Schmidt;1847625 Wrote:
>> Secondly, the source address of said “SYN flood”, 85.190.0.3 belongs to
>> proxyscan.freenode.net, Freenode’s open
>> proxy scanner, see ‘freenode: Policies’
>> (http://freenode.net/policy.shtml#proxies) for
>> details. I had an IRC chat session (via freenode) running on a wired PC, on a
> wired LAN (also connected to same router) at the time, … I would hope
> that could not affect the wireless on the router?

No, it just explains why Freenode scanned you, triggering your Speedport’s
misguided SYN flood detection.

>> If your router’s configuration menus offer a possibility to switch off
>> “SYN flood detection” I guess you’ll be better off doing that.I’ll go through the menu’s with my English/German dictionary, and see
> what I can come up with.

I could help you with the German, but unfortunately I don’t have access
to a Speedport myself to have a look. I hope you’ll figure it out.

HTH
T.


Tilman Schmidt t.schmidt@phoenixsoftware.de
Phoenix Software GmbH www.phoenixsoftware.de
Adolf-Hombitzer-Str. 12 Amtsgericht Bonn HRB 2934
53227 Bonn, Germany Geschäftsführer: W. Grießl