Detected TCP Flooding attack

Discussion in 'ESET Smart Security' started by flankengott, Mar 4, 2009.

Thread Status:
Not open for further replies.
  1. flankengott

    flankengott Registered Member

    Joined:
    Nov 15, 2007
    Posts:
    4
    Hello,

    yesterday I installed the new final ESS 4.0.314 on my computer. I use vista 64 bit with an avm fritzbox!- DSL Router. after ca. 10 minutes of surfing in the internet I had the problem that my browsers (opera and internet explorer) can´t get into any websites. 5 – 10 minutes later everything was ok.

    I opened the log in ESS and I noticed the entry “Detected TCP Flooding attack”. With ESS 3.0 I had never any problems to get into websites. Is it a problem of the new firewall in ESS 4.0.314?

    Any help very gratefully accepted, and thanks.
     
    Last edited: Mar 4, 2009
  2. Novicex

    Novicex Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    72
    This is happens because some address(websites) tried to connect with you many many times via TCP in short period of time, possibly with no good intentions, so eset considered it as a "flood".
     
  3. flankengott

    flankengott Registered Member

    Joined:
    Nov 15, 2007
    Posts:
    4
    Hello, thank you for your quick response.

    So the reason for the detected TCP Flooding attack is because some address(websites) tried to connect with me many times via TCP in short period of time.

    But I´m only surfing to common addresses and I don´t understand why these common address should certainly cause an TCP flooding attack. I surfed my favorite sites (for example "google" or "chip") many times before with no problems using ESS 3.0. Is it possible that this is a problem between my Router an ESS 4.0?

    Is it possible to switch the flooding attack alarm off in ESS 4.0?
     
  4. mickhardy

    mickhardy Registered Member

    Joined:
    May 16, 2005
    Posts:
    140
    Location:
    Australia
    I too had the flooding attack problem. I'm unsure if it's due to normal SBS 2003 Network traffic or possibly Skype but disabling ICMP Protocol Attack Detection rectified the issue for me.

    EDIT: All other settings on the "IDS and Advanced options" page are currently default.

    ICMP Flooding.jpg
    Flooding Attacks.jpg
     
  5. flankengott

    flankengott Registered Member

    Joined:
    Nov 15, 2007
    Posts:
    4
    thanks a lot for your answer.

    I don´t know if we are talking about the same. In my log I have an entry “Detected TCP Flooding attack” but you have “Detected ICMP Flooding attack”. I think it is something else.

    Anyone else has an answer for me?
     
  6. mickhardy

    mickhardy Registered Member

    Joined:
    May 16, 2005
    Posts:
    140
    Location:
    Australia
    My bad. Sorry. We've had some flooding recently in North Queensland but that's not the answer either. :rolleyes:
     
  7. Novicex

    Novicex Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    72
    ICMP flooding attack - it is a flooding via ping. "A ping flood is a simple denial-of-service attack where the attacker overwhelms the victim with ICMP Echo Request (ping) packets"
    TCP Flooding attack is as i said before and its "The TCP SYN Flooding attack takes advantage of the way the TCP protocol establishes a new connection. Each time a client, such as a Netscape browser, attempts to open a connection with a server, some information is stored on the server. Because the information stored takes up memory and operating system resources, only a limited number of in-progress connections are allowed, typically less than ten (more commonly six or less). When the server receives an acknowledgement from the client, the server considers the connection open, and the queue resources are freed for accepting another new connection."

    http://www.petri.co.il/block_ping_traffic_with_ipsec.htm or by firewall
     
  8. garryh

    garryh Registered Member

    Joined:
    Jul 18, 2009
    Posts:
    10
    I have a Samsung TV that uses a computer program PC Share to permit the viewing/listening of computer data (photos, movies, music) on my TV—using the TV remote to navigate the hard drive dir/folder structure.

    About four months ago I installed this software and could not get it to work because the ESET Smart Security firewall perceived the TV as a source of TCP flooding attacks. I contacted ESET and was advised to upgrade to version 4.x and to use the new learn mode to fix the problem. I did as advised with no success. Although the learn mode created appropriate rules (same rules I had been creating manually) the connection would always be shut down in about 15 seconds. The firewall log indicated that the TV IP address was the source of a TCP flooding attack.

    In this particular case there is a lot of data being passed from the computer to the TV, e.g. thumbnail display of folder containing a hundred or so vacation photos.

    I decided to wait for a newer version of ESET Smart Security and Samsung’s PC Share before putting any more effort in the matter. I recently got the latest version of ESET SS 4.0.037 and Samsung’s PC Share ver. 1.5, and discovered the problem remained.

    I contacted ESET and they advised that I should use the interactive mode of the firewall, why interactive over learn I don’t know, but regardless I had already tried interactive with the same results.

    After reading this thread I noticed that two options below the ICMP protocol attack detection was TCP protocol attack detection. I unchecked this box and poof my Samsung PC Share application worked flawlessly.

    I wondered if I could have simply unchecked this box all along so I set the firewall back to automatic mode and it broke the connection between my computer and TV. I then set it back to automatic mode with exceptions and communication was restored.

    I would like to see ESET SS modified so that when you create a rule you could also undo some of these protections, but just for that application or device. The way it is now I have to globally turnoff the TCP protocol attack detection. I then have to remember to turn it back on when I want to get my e-mail or browse.

    So thanks to this thread I was able to resolve my problem. I am not sure I would have been willing to disable the TCP protocol attack detection if I was trying to use an Internet resource as described above—but for the home network TV viewing application it seems reasonable.
     
Thread Status:
Not open for further replies.