Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Random IP/Port spoofer

  • 20-08-2003 9:14pm
    #1
    Registered Users, Registered Users 2 Posts: 2,680 ✭✭✭


    Right,Im fairly sure of whose behind it, but all Im caring about right now is stopping it.

    a random ip/port is constantly spoofing me
    TCP Tellox:3757 193.209.109.164:epmap SYN_SENT
    TCP Tellox:3758 193.209.109.165:epmap SYN_SENT
    TCP Tellox:3759 193.209.109.166:epmap SYN_SENT
    TCP Tellox:3760 193.209.109.167:epmap SYN_SENT
    TCP Tellox:3761 193.209.109.168:epmap SYN_SENT

    ect

    today,its been mainly an italian collage IP, yesterday, it was an american military IP (and im awful close to emailing abuse@army.mil about it,just to see if anything becomes of it)

    The thought of it being a virus spoofing me was gone when I d/c'd and netstat'd again, But the instant I reconnected, I was being spoofed again.

    This has been going on for a good 7 or so hours so far today, and seeing as Im behind a permenant IP (DSL) , I cant simply reconnect to solve the problem.

    I thought of a firewall, but the entire ip is constantly changing, and the last time I emailed esat about a thing like this,I received no response.

    Anybody got any ideas on what I can do?


Comments

  • Registered Users, Registered Users 2 Posts: 4,676 ✭✭✭Gavin


    The firewall should be smart enough to cop on that it's a syn attack from one person.

    What dsl are you using, not all are permanent IP's.

    Gav


  • Registered Users, Registered Users 2 Posts: 5,513 ✭✭✭Sleipnir


    any firewall worth it's salt should stop this. It's a pretty old type of attack.
    I would email that army addy with the IP and all the information you've been receiving from it. Although normally it's a spoofed IP address not in use on the Internet.
    Run
    netstat -n -p tcp
    Look at the output for entries in a state of SYN_RECEIVED. If you notice multiple entries, your system is vulnerable to attack.

    Best to use a firewall but you can change windows to protect yourself against DoS attacks so that syn requests time out quicker.
    to enable this, read below. Back up registry first!

    Run regedit
    goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry subkey.
    From the Edit menu, select New, DWORD Value.
    Enter the name SynAttackProtect, then press Enter.
    Double-click the new value, set it to 2, then click OK.
    Close the registry editor.
    Reboot the machine.

    default value is 0, which offers no protection.
    value of 1 limits the number of SYN retries and delays the route cache entry when the maximum number of open TCP connections (i.e., the connections in the SYN_RECEIVED state known as TcpMaxHalfOpen) and retries (i.e., TcpMaxHalfOpenRetried) has been met.
    When SynAttackProtect has a value of 2, the effect is similar to when the value is set to 1 but includes a delayed Winsock notification until the three-way handshake involved in the SYN process is complete. Because Windows invokes the SynAttackProtect value only after the system exceeds the TcpMaxHalfOpen and TcpMaxHalfOpenRetried values, I recommend that you also create the TcpMaxHalfOpen and TcpMaxHalfOpenRetried values under the same registry key (both DWORD values) and set them to 100 and 80, respectively.


  • Registered Users, Registered Users 2 Posts: 2,680 ✭✭✭Tellox


    Kan, I've just taken your advise, and it hasnt stopped any of the attacks...

    once again,the second I connected, they were off again


  • Registered Users, Registered Users 2 Posts: 5,335 ✭✭✭Cake Fiend


    Unless you're getting an overwhelming stream of SYN packets, I doubt it's a deliberate SYN flood attempt. Judging by the fact that they're repeatedly trying to connect through the epmap port, I'd imagine that network is a load of NT-based systems that have been infected by the msblast worm and are scanning for potential victims. Your IP could very possibly be on a list of machines that are replying to requests to the RPC server. A lot of our XP and 2K machines in Net House are getting these connection attempts, but are invulnerable as they were patched long ago. Unless these attempted attacks are affecting your connection (and presuming you've patched the RPC bug on your machine) I wouldn't worry about it tbh.


Advertisement