Syn flood attack coming from network computer: should I be worried?

Started by viper37, August 02, 2015, 12:32:54 AM

Previous topic - Next topic

viper37

I've had so much shit last week...

Anyway.  As I was working yesterday night, trying to fix my problems, my office firewall (Eset) detected an attack coming from the other office Windows computer on the network, described as a "Syn flood attack".  Sort of a port scan, from what I gather.

This particular computer has already been scanned with 2 different rescue antivirus (Kaspersky and AVG) wich found nothing.  Previously, since Windows updates would no longer install themselves and a Windows refresh was not working at all, I decided to delete the partition and reinstall Windows 8.1.  Then I installed Eset and Malwarebytes and SuperAntiSpyware and made initial scans, all clean.

I then installed the software I needed, left it on as I was doing something else... and then this warning came.  I immediatly shut down the computer, I did not have time to investigate.

Could this be a false alert or should I be worried there some kind of hidden malware on this computer that is troublesome to find?
I don't do meditation.  I drink alcohol to relax, like normal people.

If Microsoft Excel decided to stop working overnight, the world would practically end.

DontSayBanana

Quote from: viper37 on August 02, 2015, 12:32:54 AM
I've had so much shit last week...

Anyway.  As I was working yesterday night, trying to fix my problems, my office firewall (Eset) detected an attack coming from the other office Windows computer on the network, described as a "Syn flood attack".  Sort of a port scan, from what I gather.

This particular computer has already been scanned with 2 different rescue antivirus (Kaspersky and AVG) wich found nothing.  Previously, since Windows updates would no longer install themselves and a Windows refresh was not working at all, I decided to delete the partition and reinstall Windows 8.1.  Then I installed Eset and Malwarebytes and SuperAntiSpyware and made initial scans, all clean.

I then installed the software I needed, left it on as I was doing something else... and then this warning came.  I immediatly shut down the computer, I did not have time to investigate.

Could this be a false alert or should I be worried there some kind of hidden malware on this computer that is troublesome to find?

One of the things I read about SYN floods is that they often use spoofed IP addresses- it doesn't sound like the kind of complex malware that could lodge itself in the master boot record, so the fact that you're still getting a positive from that address even after reinstalling Windows makes me think that might be the case- can you double-check the identity of the attacker at another OSI level, maybe the NIC?
Experience bij!

viper37

Quotecan you double-check the identity of the attacker at another OSI level, maybe the NIC?


how do I double check the identity of the attacker?  Where and what do I look for?
I don't do meditation.  I drink alcohol to relax, like normal people.

If Microsoft Excel decided to stop working overnight, the world would practically end.

DontSayBanana

Quote from: viper37 on August 02, 2015, 06:50:39 PM
Quotecan you double-check the identity of the attacker at another OSI level, maybe the NIC?


how do I double check the identity of the attacker?  Where and what do I look for?

Actually, I'm gonna backtrack a little bit- after thinking about it, my suspicion is an external attacker found some open ports and is routing SYN requests through that machine.  Do you use static IP addresses?
Experience bij!

viper37

Quote from: DontSayBanana on August 02, 2015, 09:43:41 PM
Quote from: viper37 on August 02, 2015, 06:50:39 PM
Quotecan you double-check the identity of the attacker at another OSI level, maybe the NIC?


how do I double check the identity of the attacker?  Where and what do I look for?

Actually, I'm gonna backtrack a little bit- after thinking about it, my suspicion is an external attacker found some open ports and is routing SYN requests through that machine.  Do you use static IP addresses?
on the network, yes.  Outside (internet), no, dynamic IP from the ISP.
I don't do meditation.  I drink alcohol to relax, like normal people.

If Microsoft Excel decided to stop working overnight, the world would practically end.

Darth Wagtaros

Could be a false positive.  You could always turn it on and put Wireshark on.  If your firewall starts up again you can turn on Wireshark.  Or leave it on and filter for SYN traffic.
PDH!