This applies to irc.lightning.net (irc.he.net). I haven't tried others. Every time I connect, I am FLOODED by (at last connect - but very close to same on ALL connects) 553 syn packets to 63 individual ports. (and that's just what my log was able to catch - probably a lot more it didn't catch.) Isn't this a little excessive ?
^Thor^
Being flooded by server upon connecting !
Moderators: Website/Forum Admins, EFnet/Help Moderators
If I'm reading what you stated correctly, you are under the impression that something like 600 SYN packets equate flooding.
Lets see how much data this is:
1 SYN packet = ~60 bytes (based on a google search)
multiply by 600 = 36,000. Or 36k.
If you have a 33.6 dialup connection, you would spend just over 1 second to transfer this amount of data.
Lets see how much data this is:
1 SYN packet = ~60 bytes (based on a google search)
multiply by 600 = 36,000. Or 36k.
If you have a 33.6 dialup connection, you would spend just over 1 second to transfer this amount of data.
irc.he.net Notice -- Osc (osc@irc.packetmonkeys.com) is now an operator
<CHANFIX> You're now logged in with the following flags: ADMIN.
<OCF> Authentication successful. Welcome, Osc.
<CHANFIX> You're now logged in with the following flags: ADMIN.
<OCF> Authentication successful. Welcome, Osc.
Well, Osc, you're quite right in what you say, of course....as far as it goes. As I pointed out in the next sentence, however, there is a lot more my logs -didn't- catch. I'll send you a PM with some additional details. But my question still stands....does a server really need to hit close to 100 ports (just rounding up from the 63 I caught in my logs, and taking into account those I didn't catch) at least 10 - 15 - 20 times each ? My router is even freaking out, calling it a hacking attempt, alerting on the port scans, and flagging tcp syn flooding incoming.
I suppose one could easily question or dismiss an individual shouting 'flood', but when the router starts freaking, too, one has to lend a little more credence to the claim.
^Thor^
I suppose one could easily question or dismiss an individual shouting 'flood', but when the router starts freaking, too, one has to lend a little more credence to the claim.
^Thor^
Pardon me while I go off on a little rant =]
Firewalls and routers that "alert" you to "whatever" suck.
There isn't any point to it. It's pure marketing hype. There isn't anyting you can do with these "alerts" other than freak out about them. Imagine for a moment if other equiptment displayed the same feature set as you discribe:
Your car would "alert" you each time the tires made one revolution and ask you if you wanted to continue before makeing another revolution.
Your car alarm would scream bloody murder when you crank the window down, ask if you want to continue and ask if you wish to create a rule for this window going down in the future. It would ask about each window the first time you used it, and the process starts all over when you want the window to go up. And if you want the window down only part way, or up only part way, more rules!
The alarm would also alert you when you wanted to add fuel to your car, preventing you from doing so only after you have the nozzel in place and the fuel flowing, resulting in fuel all over the place. You can then write a rule for fuel, but this rule will only apply to the current grade at the current fueling station. Go to another station, write another rule.
IMHO, routers and firewalls should be quiet and do the job they were intended to do: prevent access for things that can not themselves be configured correctly. I have a firewall. There are 3 rules covering 29 ports, 18 of which are ports below 1024. There isn't any logging, and I'm not asked to create a rule for anything, ever. The firewall is silent.
In your specific case, the router is freaking out about normal data. The router should silently drop the packets as there shouldn't be anything else listening on these ports. If there is something listening there, then your system is in need of maintenance.
Firewalls and routers that "alert" you to "whatever" suck.
There isn't any point to it. It's pure marketing hype. There isn't anyting you can do with these "alerts" other than freak out about them. Imagine for a moment if other equiptment displayed the same feature set as you discribe:
Your car would "alert" you each time the tires made one revolution and ask you if you wanted to continue before makeing another revolution.
Your car alarm would scream bloody murder when you crank the window down, ask if you want to continue and ask if you wish to create a rule for this window going down in the future. It would ask about each window the first time you used it, and the process starts all over when you want the window to go up. And if you want the window down only part way, or up only part way, more rules!
The alarm would also alert you when you wanted to add fuel to your car, preventing you from doing so only after you have the nozzel in place and the fuel flowing, resulting in fuel all over the place. You can then write a rule for fuel, but this rule will only apply to the current grade at the current fueling station. Go to another station, write another rule.
IMHO, routers and firewalls should be quiet and do the job they were intended to do: prevent access for things that can not themselves be configured correctly. I have a firewall. There are 3 rules covering 29 ports, 18 of which are ports below 1024. There isn't any logging, and I'm not asked to create a rule for anything, ever. The firewall is silent.
In your specific case, the router is freaking out about normal data. The router should silently drop the packets as there shouldn't be anything else listening on these ports. If there is something listening there, then your system is in need of maintenance.
irc.he.net Notice -- Osc (osc@irc.packetmonkeys.com) is now an operator
<CHANFIX> You're now logged in with the following flags: ADMIN.
<OCF> Authentication successful. Welcome, Osc.
<CHANFIX> You're now logged in with the following flags: ADMIN.
<OCF> Authentication successful. Welcome, Osc.
preach it, Osc 
Thor, it sounds like the server is just doing a proxy scan. not uncommon. not all servers do it, and it's not that big of a deal on the ones that do. it shouldn't be enough traffic to flood your connection. if that's happening, something else is wrong [maybe your firewall is automatigically killing the connection because of the scan]. i'd say the solution is to find the setting for your firewall to, as Osc says, silently drop the packets.
Thor, it sounds like the server is just doing a proxy scan. not uncommon. not all servers do it, and it's not that big of a deal on the ones that do. it shouldn't be enough traffic to flood your connection. if that's happening, something else is wrong [maybe your firewall is automatigically killing the connection because of the scan]. i'd say the solution is to find the setting for your firewall to, as Osc says, silently drop the packets.
i can't say i completely agree with 100% silence. there are some cases where an IDS could be used to notify of specific attempts (ie - w.x.y.z tries ssh 20 times and gets in, etc), but i doubt anyone runs a proper IDS on a windows based client. zonealarm certainly doesn't count as a good IDS.
if you don't like the port scans, don't connect to that server. but good luck finding a server that doesn't now or soon will use open proxy scanning. it is done to protect you, not hurt you. if you can, whitelist the ips the scans come from for your favorite servers.
if you don't like the port scans, don't connect to that server. but good luck finding a server that doesn't now or soon will use open proxy scanning. it is done to protect you, not hurt you. if you can, whitelist the ips the scans come from for your favorite servers.
In God we trust,
Everyone else must have an X.509 certificate.
Everyone else must have an X.509 certificate.
The router in question is a Netgear 8 port on a 3 Mb cable IP connection.
No ports forwarded into my LAN. The numbers of Syn packets given in my original post was an extremely conservative number, based on what was caught in my logs. There were several thousand (10's ?) more -not- caught.
How many times do how many ports have to be scanned before a server is 'satisfied' that there are no proxies running on the client?
Here is a (partial) list of ports scanned:
23, 80, 10000, 10001, 1027, 1028, 1029, 1030, 1080, 113, 1182, 1212, 15621, 15859, 17149, 17166, 17288, 17406, 17407, 1813, 19086, 1978, 2280, 2425, 30021, 30022, 3127, 3128, 3330, 3332, 3380, 3382, 35233, 35612, 3777, 3800, 3801, 3802, 38994, 40934, 4438, 4480, 4777, 4914
49871, 5104, 53311, 5490, 5634, 6042, 63808, 63809, 65506, 6552, 6588, 6826, 7198, 7366, 7464, 7810, 8000, 8001, 808, 8080, 8081, 81, 8148, 8520, 8814, 9036, 9100, 9186, 9447, 9578, 9999.
^Thor^
No ports forwarded into my LAN. The numbers of Syn packets given in my original post was an extremely conservative number, based on what was caught in my logs. There were several thousand (10's ?) more -not- caught.
How many times do how many ports have to be scanned before a server is 'satisfied' that there are no proxies running on the client?
Here is a (partial) list of ports scanned:
23, 80, 10000, 10001, 1027, 1028, 1029, 1030, 1080, 113, 1182, 1212, 15621, 15859, 17149, 17166, 17288, 17406, 17407, 1813, 19086, 1978, 2280, 2425, 30021, 30022, 3127, 3128, 3330, 3332, 3380, 3382, 35233, 35612, 3777, 3800, 3801, 3802, 38994, 40934, 4438, 4480, 4777, 4914
49871, 5104, 53311, 5490, 5634, 6042, 63808, 63809, 65506, 6552, 6588, 6826, 7198, 7366, 7464, 7810, 8000, 8001, 808, 8080, 8081, 81, 8148, 8520, 8814, 9036, 9100, 9186, 9447, 9578, 9999.
^Thor^
this sums it up nicely.munky wrote: if you don't like the port scans, don't connect to that server.
^Thor^
prefect!prefect@staff.blackened.com
Who is online
Users browsing this forum: No registered users and 3 guests