Results 1 to 6 of 6

Thread: Can I stop "Syn Flood ** (from Outbound WAN)?

  1. #1

    Can I stop "Syn Flood ** (from Outbound WAN)?

    I have an SMC Barricade model SMC7008ABR router. When checking the logs I periodically get warnings of “**SYN Flood to Host** 192.168.2.xxx, xxxx->> xxx.xxx.xxx.xx, xxxx (from WAN Outbound)”. The originating address is from 2 of the computers on my home network. The destination IP changes as shown in the excerpt of my router log.

    02/03/2008 12:16:09 192.168.2.101 login success
    02/03/2008 10:51:21 NTP Date/Time updated
    02/03/2008 04:51:21 NTP Date/Time updated
    02/02/2008 22:51:21 NTP Date/Time updated
    02/02/2008 20:12:34 **SYN Flood to Host** 192.168.2.101, 3350->> 66.165.186.98, 80 (from WAN Outbound)
    02/02/2008 20:05:10 **SYN Flood to Host** 192.168.2.101, 4725->> 208.122.223.21, 80 (from WAN Outbound)
    02/02/2008 19:29:34 **SYN Flood to Host** 192.168.2.101, 4941->> 213.189.18.86, 80 (from WAN Outbound)

    My concern is the “from OUTBOUND WAN”, I assume this means that I have out going traffic that hopefully the router stopping. Is that assumption correct and if so how can I locate and kill the cause of this message?

    I regularly use Sypbot, Adaware SE+, and AVG to control the bad things on both machines and the router’s firewall is on. The OSs are W2K Pro & Vista Home Premium. Browsers are Firefox, set to clear everything on close, and MS IE, used mainly on the Vista machine.

    My searches have provided a lot of info on what a “SYN Flood” is but, I have been unable to find anything that tells me how to locate and remove the cause from may system. Let me know what more information I need to supply or if any one can shed some light on a “cure” for this.

    Old Dog, in need of new tricks!

  2. #2
    Switching & Routing Nerd cchooper's Avatar
    Join Date
    Oct 2003
    Location
    Southern Oregon
    Posts
    245
    They could just be false alarms. Most web browsers these days open several concurrent connections to a single server, which would cause a bunch of SYN packets to be sent, triggering those logs you're seeing.
    Hacking router firmware since 2005

  3. #3
    Thank you for the reply cchooper, you may have the answer. Since the original posting my cable company has been sold and is under new management. All of the IP addresses have changed and so far I have not had another occurrence of the warning. Time will tell. I’ll follow up with any changes.

    Thanks again,
    Old Dog 62, always looking for new tricks.

  4. #4
    Junior Member
    Join Date
    Sep 2008
    Posts
    1

    Solution

    I have the same router (SMC Barricade 7008ABR) and I noticed I was getting these same "SYN Flood" messages in my log. Eventually I found the culprit -- in my case it was Google Maps. I've always had problems with maps never fully loading (lots of gray tiles) and I finally realized that the problem was the number of connections that Google Maps keeps open at once. The firewall thought they were a denial of service attack and was blocking them. I just increased the maximum number of connections allowed and the problem went away -- no more SYN Flood messages so far and Google Maps finally works.

    The setting is called "Maximum incomplete TCP/UDP sessions number from same host" and is found under "Advanced Setup > Firewall > Intrusion Detection". I increased mine from 10 to 50 and it seems to be working well.

    This problem has plagued me forever! I came across this thread in my search and wanted to post what I found in case it's helpful.

  5. #5
    Junior Member
    Join Date
    Aug 2011
    Posts
    1
    Quote Originally Posted by Nobody View Post
    I have the same router (SMC Barricade 7008ABR) and I noticed I was getting these same "SYN Flood" messages in my log. Eventually I found the culprit -- in my case it was Google Maps. I've always had problems with maps never fully loading (lots of gray tiles) and I finally realized that the problem was the number of connections that Google Maps keeps open at once. The firewall thought they were a denial of service attack and was blocking them. I just increased the maximum number of connections allowed and the problem went away -- no more SYN Flood messages so far and Google Maps finally works.

    The setting is called "Maximum incomplete TCP/UDP sessions number from same host" and is found under "Advanced Setup > Firewall > Intrusion Detection". I increased mine from 10 to 50 and it seems to be working well.

    This problem has plagued me forever! I came across this thread in my search and wanted to post what I found in case it's helpful.
    Does anyone know how to fix this with a belkin router? I don't seem to have a setting with that granularity. Arg...

  6. #6
    Junior Member
    Join Date
    Jul 2013
    Posts
    1
    Another happy person here. The default browser of my Galaxy SIII was making my crappy Philips router throw SYN flood errors, and webpages stopped loading halfway through. I set the above setting to 50 and now eveything is fast and smooth.

    Just posting to mention that for Philips the setting is under security -> firewall -> intrusion detection

Similar Threads

  1. Can I stop "SYN Flood ***(from Outbound WAN"?
    By Old Dog 62 in forum Wireless Networks & Routers
    Replies: 0
    Last Post: 02-03-08, 02:10 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •