Syn_Received Attack ?

Question

I am hoping some has possible answer to this. I worked on this problem for a couple weeks.

We have our internal network with Windows 2000 server with no internet connection to the outside and a couple Windows 98 computer with printers attached. The 98 computers are getting hit with Syn_Received requests and the server is working fine.

I recently setup a D-Link wireless router to access the internet, only three computer have access to this device, One runs Windows MCE 2005, XP Pro and XP Home. They all connect to the wireless and cabled to our internal network.

Only the MCE 2005 computer is causing the Syn_Received problem. If I disable his wiresless connection problem gone, I leave his wireless on but turn of the D-Link router problem gone, Remove internet connection to the router but have his computer connect to the router problem exists.

Thanks for any suggestions.

LtLeary · Answer

Can you give a little more info on the hardware...specifically the router and the MCE device? What kind, model etc?

Are the Syn_Received requests only hitting the 98 machines after the router installation or what is reporting that error? If only three machines have access to the router I'm a bit confused!!!

LT

ITFRED · Answer

The problem computer is an Inspiron 9300 with Windows Media Center 2005 and the router is a D-link DI-624 wireless 108g.   The Windows 98 computers with a printer share on them are the only ones effected.   We have our internal network with a Windows 2000 Server and no one is allow internet access, each depart has a computer NOT on the network to access the internet and email, Management is afraid of people out getting into our files. We were allowed to connect the 3 sales people to the internet using wireless and still be connected to our server on our wired network.   The one computer is causing all the problems with the Windows 98 computers, I have shut many things off on that computer but have not stopped syn_received requests which build up and nobody can use the printers. I reboot and we can print again until it gets too many syn_recieved requests.   Thanks for your interest in my problem, If you need more info let me know.

LtLeary · Answer

I assume there is either a firewall or router preventing PCs on the internal side from talking to the 3 pcs on the Dlink?

What I believe is happening here is that the PCs on your new wireless network are trying to access services on the old network and the old network can't communicate back to them. File and Print and Master Browser Election seem likely candidates so lets do some old school troubleshooting to find out what it might be...

On the windows 98 machines most impacted, go to a command or DOS prompt and issue the "nestat -n -p tcp" command and check out the ip addresses and ports. I'm betting that you will see most of the comming from the new network (the one the 98 machine can't get back to.) Check out the port numbers and see what they equate to. Go to the MCS or other offending PC and shut off that service!

Lets start there and see what the results are.

LT

ITFRED · Answer

The D-Link is not physicaly connected to our network. Only access is through one of the 3 computers. All 3 have file sharing off. And we run on only TCP on the network.   I have done netstat, this is how I found the problem. It displays 25+ seperate port connections for the wireless IP address of the offending computer. We have Norton Internet Secrity running on these 3 computers and I have needed to add the IP addresses of the 2000 Server and Windows 98 printer shares so these computers can talk to our internal network.   I will see that the browse master is turned off on the offending computer. I may have already have it turned off ?   You have given me another Idea, If I can get the the printer to share through the server then I can remove the Windows 98 IP address from Norton on the 3 computers and it may stop the commication with them.   Problem is that only one computer causing this problem, whats different about that computer than the other 2?   Thanks again, I'll try your sugggestions.

LtLeary · Answer

I was hoping the port addresses would help tell me what the difference is. By looking at those, we could tell what the service(s) that is requesting all the data and then we could proceed from there. If you don't have the DLInk connected to the network, I am guessing that you have the 2005 device acting as a bridge or do you have ICS turned on? (Otherwise how would your win98 machines know about the wireless network addresses?) I would suggest you go back to that device and make sure you don't allow routing thru your ethernet (no bridging) and ICS is off.

I know of no other network specific differences between 2005MC and XP that will cause the advertisement of addresses not allowed.

Can you provide the results of the IPCONFIG /ALL on the 2005 and the Netstat? It is probably a very simple config oversight but I'm shooting in the dark without the info.

ITFRED · Answer

I know that there is no bridge, because thats the first thing I looked for, and I am pretty sure the ICS is off. I will double check.   I did not do a netstat on the 2005MC, I will do that and check the ipconfig /all.   The netstat I run on the windows 98 computer shows the 2005MC trying to connect on ports 1000 and above ? I may wrong, I don't have a copy of the netstat report here at home.   I'll try to get more info to you.   Thanks.

ITFRED · Answer

I went into services and turned off computer browser. As it appears now the problem has gone away.

I want to thank you for the help. I had feeling it would be something simple. I was just at the point to call in someone from the outside to take a look.

I did however turn off other services, Server and Network Location Awareness. I don't see those having been the problem because they are probably on in the other computers.

I am sending the netstat info from one of Windows 98 computers, could you tell it was a browser service from these port connections?

Active Connections

Proto Local Address          Foreign Address        State
TCP    10.0.0.31:139          10.0.0.4:1031          ESTABLISHED
TCP    10.0.0.31:139          10.0.0.42:1030         ESTABLISHED
TCP    10.0.0.31:139          192.168.0.101:2306     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2309     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2312     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2315     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2318     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2321     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2324     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2327     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2330     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2333     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2336     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2339     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2089     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2092     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2348     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2351     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2354     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2101     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2357     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2104     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2360     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2363     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2110     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2366     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2370     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2116     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2373     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2376     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2122     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2379     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2382     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2385     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2130     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2388     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2391     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2138     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2394     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2651     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2397     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2400     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2146     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2403     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2406     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2409     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2156     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2412     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2415     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2164     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2170     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2427     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2431     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2176     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2434     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2182     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2443     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2190     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2446     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2193     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2449     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2452     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2199     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2455     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2458     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2461     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2464     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2468     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2471     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2474     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2477     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2480     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2483     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2486     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2489     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2492     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2495     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2498     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2501     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2504     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2510     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2513     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2516     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2519     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2522     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2525     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2528     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2531     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2534     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2537     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2540     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2543     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2546     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2549     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2552     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2297     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2555     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2300     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2558     SYN_RECEIVED
TCP    10.0.0.31:139          192.168.0.101:2303     SYN_RECEIVED

LtLeary · Answer

Also, Run the NBTSTAT -c and -r commands. I'm betting that the 2005MC machine known via the 192 address and not the 10 network address.  Check your WINS server as well for this pupply. LT

LtLeary · Answer

It tells me that it is NBT (netbios over TCP) traffic. (Windows services) Now we need to find out how it is getting there!

How about the IPConfig/all from the 2005MCE machine?

Also, on the 2005machine, can you provide the "route print?"

Right now I'm thinking you have a 10.X network address programmed on your Wireless NIC (maybe WINS or DNS entry, or even a LMHost entry)

The route print and IPCONFIG/ALL should get us a bit closer.

ITFRED · Answer

It did not fix the problem, it was looking good then it happened again.

ITFRED · Answer

Here is the ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : THOMAS Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : Thayer.local Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Thayer.local Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller Physical Address. . . . . . . . . : 00-12-3F-E4-E7-4D Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 10.0.0.43 Subnet Mask . . . . . . . . . . . : 255.0.0.0 Default Gateway . . . . . . . . . : DHCP Server . . . . . . . . . . . : 10.10.1.1 DNS Servers . . . . . . . . . . . : 10.10.1.1 Lease Obtained. . . . . . . . . . : Monday, November 21, 2005 7:19:09 AM Lease Expires . . . . . . . . . . : Thursday, December 01, 2005 10:19:09 AM Ethernet adapter Wireless Network Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/Wireless 2200BG Network Connection Physical Address. . . . . . . . . : 00-13-CE-33-58-10 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.0.101 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.0.1 DHCP Server . . . . . . . . . . . : 192.168.0.1 DNS Servers . . . . . . . . . . . : 141.154.0.68 Lease Obtained. . . . . . . . . . : Monday, November 21, 2005 1:48:11 PM Lease Expires . . . . . . . . . . : Monday, November 28, 2005 1:48:11 PM Here is nbtstat -c on the mc2005 Local Area Connection: Node IpAddress: [10.0.0.43] Scope Id: [] No names in cache Wireless Network Connection: Node IpAddress: [192.168.0.101] Scope Id: [] No names in cache Here is nbtstat -r on the mc2005 NetBIOS Names Resolution and Registration Statistics ---------------------------------------------------- Resolved By Broadcast = 121 Resolved By Name Server = 0 Registered By Broadcast = 31 Registered By Name Server = 0 NetBIOS Names Resolved By Broadcast --------------------------------------------- SERVER <00> AOSERVER <00> SERVER AOSERVER AOSERVER <00> SERVER SERVER AOSERVER SERVER and AOSERVER ARE THE WINDOWS 98 COMPUTERS WITH PRINTERS ATTACHED. BOTH WERE AT ONE TIME OUR MAIN SERVER. HENCE THE NAME SERVER. Here is nbtstat for windows 98 computer call SERVER NetBIOS Names Resolution and Registration Statistics ---------------------------------------------------- Resolved By Broadcast = 1 Resolved By Name Server = 0 Registered By Broadcast = 5 Registered By Name Server = 0 NetBIOS Names Resolved By Broadcast --------------------------------------------- XP-SERVER XP-SERVER IS CURRENTLY OUR WINDOWS 2000 SERVER. IT WAS AT ONE TIME XP-PRO SETUP AS OUR SERVER. I KEPT THE NAME BECAUSE I WRITE MANY PROGRAMS THAT CALL FOR FILES USING UNC NAMES. SORRY IF ITS CONFUSING. I HOPE THIS INFO HELPS. HOW DO I DO A PRINT ROUTE ? I'M SURE I DID ONE ONCE, BUT I CAN'T REMEMBER. THANKS

ITFRED · Answer

how do I do the route print ?

LtLeary · Answer

Still need the route print but I'm thinking we are getting closer.

LtLeary · Answer

Sorry about that..

Go to a cmd prompt on the 2005MCE and issue the command "Route Print"

You will get something like, but quite a bit more than the following

C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0d 56 ea f6 3d ...... Broadcom 570x Gigabit Integrated Controller - Pa
cket Scheduler Miniport
0x10004 ...00 90 4b 74 aa 46 ...... Dell TrueMobile 1300 WLAN Mini-PCI Card
0x10005 ...00 10 c6 c2 d2 46 ...... Bluetooth Personal Area Network from TOSHIBA
- Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0      192.168.2.1   192.168.2.100       25
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.2.0    255.255.255.0    192.168.2.100   192.168.2.100       25
    192.168.2.100 255.255.255.255        127.0.0.1       127.0.0.1       25
    192.168.2.255 255.255.255.255    192.168.2.100   192.168.2.100       25
        224.0.0.0        240.0.0.0    192.168.2.100   192.168.2.100       25
255.255.255.255 255.255.255.255    192.168.2.100               2       1
255.255.255.255 255.255.255.255    192.168.2.100   192.168.2.100       1
255.255.255.255 255.255.255.255    192.168.2.100           10005       1
Default Gateway:       192.168.2.1
===========================================================================
Persistent Routes:
None

ITFRED · Answer

route print from mc2005

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 12 3f e4 e7 4d ...... Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
0x3 ...00 13 ce 33 58 10 ...... Intel(R) PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0      192.168.0.1   192.168.0.101   25
         10.0.0.0        255.0.0.0        10.0.0.43       10.0.0.43   20
        10.0.0.43 255.255.255.255        127.0.0.1       127.0.0.1   20
   10.255.255.255 255.255.255.255        10.0.0.43       10.0.0.43   20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   1
      192.168.0.0    255.255.255.0    192.168.0.101   192.168.0.101   25
    192.168.0.101 255.255.255.255        127.0.0.1       127.0.0.1   25
    192.168.0.255 255.255.255.255    192.168.0.101   192.168.0.101   25
        224.0.0.0        240.0.0.0        10.0.0.43       10.0.0.43   20
        224.0.0.0        240.0.0.0    192.168.0.101   192.168.0.101   25
255.255.255.255 255.255.255.255        10.0.0.43       10.0.0.43   1
255.255.255.255 255.255.255.255    192.168.0.101   192.168.0.101   1
Default Gateway:       192.168.0.1
===========================================================================
Persistent Routes:
None

Networking, Internet, & Bluetooth

Syn_Received Attack ?

Was this post helpful?