NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Router forwarding syn flood
I have a C3700-100NAS without port forwarding and without the firewall disabled. On a machine inside the LAN I see:
[~]pds$ netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 tango.62209 151.101.128.204.http SYN_SENT
tcp4 0 0 tango.62208 151.101.64.175.http SYN_SENT
tcp4 0 0 tango.62207 151.101.64.249.http SYN_SENT
tcp4 0 0 tango.62206 151.101.64.249.http SYN_SENT
tcp4 0 0 tango.62205 151.101.64.175.http SYN_SENT
tcp4 0 0 tango.62204 151.101.64.175.http SYN_SENT
tcp4 0 0 tango.62203 151.101.128.204.http SYN_SENT
tcp4 0 0 tango.62202 151.101.128.204.http SYN_SENT
tcp4 0 0 tango.62201 ec2-54-247-187-9.http SYN_SENT
tcp4 0 0 tango.62200 ec2-54-219-132-1.http SYN_SENT
tcp4 0 0 tango.62199 ec2-54-219-132-1.http SYN_SENT
tcp4 0 0 tango.62198 ec2-54-219-132-1.http SYN_SENT
tcp4 0 0 tango.62197 ec2-54-215-180-1.http SYN_SENT
etc...
which is the residue from a syn flood attack. But why should the SYNs have been sent to this machine in the first place? I do assume they were sent to the broadcast address, but surely the router shouldn't propogate broadcasts to the LAN? Is this a bug or have I configured something wrong?
Right now my network is unusable whenever this attack occurs.
2 Replies
Oops these aren't broadcast, they're directed to specific machines. Why is the router forwarding these packets?
- SYN_SENT means that your computer initiated a connection. It is not a response to any SYN flood.
