cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

[SYN] Flood?

mhepplewhite
Hooked
Posts: 6
Thanks: 2
Registered: ‎01-04-2022

[SYN] Flood?

2 weeks ago

I am on a home broadband package with a small Pi home server. Port forwarding 443 to said server. Sometime in the recent past the router technical log shows incoming port forwards from remote IPs (seem to be mainly Brazil according to iplocation) at about 1 per second. IP is like A.B.C.D where A.B stays the same for a day or two but C.D changes. Wireshark capture shows server responds with [SYN, ACK] but there is no response from remote IP. Server resends a few times then a [RST] is received. Source location has also been identified as e.g. Korea.

No web pages are requested.

I am struggling to figure out what is going on or whether any defensive action is needed. Server loading seems to be minimal. Main impact seems to be that the PlusNet 2 router FW Log fills up in a short period.

Advice and insights gratefully received.

Message 1 of 8
(277 Views)
Reply
0 Thanks
7 REPLIES 7
Champnet
Aspiring Hero
Posts: 2,953
Thanks: 1,113
Fixes: 16
Registered: ‎25-07-2007

Re: [SYN] Flood?

2 weeks ago

@mhepplewhite  Any open port is going to attract unwanted attention. Syn Floods are just attempts to disrupt your system. 
Nothing to worry about, I just ignore them unless further problems develop….

Message 2 of 8
(240 Views)
Reply
0 Thanks
outcast
Pro
Posts: 315
Thanks: 121
Fixes: 7
Registered: ‎11-01-2025

Re: [SYN] Flood?

2 weeks ago

@Champnet wrote:

 

... just ignore them unless further problems develop….

 

and if they DO become a problem, then Dave can take a look to see what can be done (see TCP SYN Attack / Changing IP )

.

Message 3 of 8
(236 Views)
Reply
mhepplewhite
Hooked
Posts: 6
Thanks: 2
Registered: ‎01-04-2022

Re: [SYN] Flood?

2 weeks ago

Thank you very much, reassuring. It's just that that port has been open for ages, and, as you say, various random IPs try out some standard things, but the repeated [SYN] thing is more recent.
Changing IP is a bit of a mixed blessing as various settings need to be updated.
Message 4 of 8
(206 Views)
Reply
jab1
Legend
Posts: 19,928
Thanks: 6,598
Fixes: 293
Registered: ‎24-02-2012

Re: [SYN] Flood?

2 weeks ago

@mhepplewhite Personally , wouldn’t worry, apart from filling up your log, this just proves the router is doing it’s job 

John
Message 5 of 8
(196 Views)
Reply
0 Thanks
outcast
Pro
Posts: 315
Thanks: 121
Fixes: 7
Registered: ‎11-01-2025

Re: [SYN] Flood?

2 weeks ago

@mhepplewhite wrote:

 

I am on a home broadband package with a small Pi home server.

... ...

Main impact seems to be that the PlusNet 2 router FW Log fills up in a short period.

 

@mhepplewhite 

As you are already tech savvy enough to build a Pi server,  have you considered building a pfSense router ?

I use pfSense for many things, but related to your question, when I add a port forward, rather than having that port open to the world (as happens with the Plusnet Hub-2), I block ALL external access then add a firewall whitelist of allowed/known external IP addresses that can access that port - so as not to attract the attention of port scanners from anywhere in the world.

For example, I've configured my router's WAN port to reply to PING requests, but only specific test sites that I use (such as the ThinkBroadband BQM server) can see the open port.

 

TBB BQM server address.png

.

Message 6 of 8
(193 Views)
Reply
0 Thanks
mhepplewhite
Hooked
Posts: 6
Thanks: 2
Registered: ‎01-04-2022

Re: [SYN] Flood?

2 weeks ago

Thank you - I will consider such an option, thank you.

Message 7 of 8
(149 Views)
Reply
outcast
Pro
Posts: 315
Thanks: 121
Fixes: 7
Registered: ‎11-01-2025

Re: [SYN] Flood?

2 weeks ago

Here are a few YouTube videos to give you an idea of what might be involved with building your own router.

.

Message 8 of 8
(145 Views)
Reply