locked
Router forwarding fails - hacker attack? RRS feed

  • Question

  • This has happened multiple times. I will get remote access working by turning it off then restarting it again. Remote access works fine for a day or two, then suddenly the console button turns yellow and the warning is that router forwarding has failed.

    When I go to my router (Acor) intrusion detection log I find hundreds of attempts recorded by the WHS internal IP address to access an unknown external IP (the last time it was 65.55.7.141), each usually a second apart, from a steadily increasing port number. The last time it tried virtually every possible port number between 3602 and 5,000 (all outbound over Port 80), then jumped to 1028 and reached 1226 with the last entry. Each log entry was flagged as "***SYN Flood***.

    Incidentally, 65.55.7.141 does not respond to a ping.

    Mixed in with these entries are also apparently legitimate ones over ports 80 and 443 to my current external IP.

    It makes no sense to me why these entries are in the intrusion log in the first place or whether they have any relationship to the router forwarding failing but I am going crazy trying to keep WHS up on the internet.

    Any ideas or suggestions would be greatly appreciated.
    Friday, June 11, 2010 2:25 PM

All replies

  • On 6/11/2010 9:25 AM, Roger1244 wrote:
    > This has happened multiple times. I will get remote access working by
    > turning it off then restarting it again. Remote access works fine for a
    > day or two, then suddenly the console button turns yellow and the
    > warning is that router forwarding has failed.
    >
    > When I go to my router (Acor) intrusion detection log I find hundreds of
    > attempts recorded by the WHS internal IP address to access an unknown
    > external IP (the last time it was 65.55.7.141), each usually a second
    > apart, from a steadily increasing port number. The last time it tried
    > virtually every possible port number between 3602 and 5,000 (all
    > outbound over Port 80), then jumped to 1028 and reached 1226 with the
    > last entry. Each log entry was flagged as "***SYN Flood***.
    >
    > Incidentally, 65.55.7.141 does not respond to a ping.
    >
    > Mixed in with these entries are also apparently legitimate ones over
    > ports 80 and 443 to my current external IP.
    >
    > It makes no sense to me why these entries are in the intrusion log in
    > the first place or whether they have any relationship to the router
    > forwarding failing but I am going crazy trying to keep WHS up on the
    > internet.
    >
    > Any ideas or suggestions would be greatly appreciated.
     
    Hello Roger,
     
    The IP Address 65.55.7.141 resolves to Microsoft. So, it's most likely
    your home server trying to phone home (to register your IP address).
    Does your router support uPnP? You may also want to configure the
    router to accept connections on Ports 80, 443, and 4125 (3389 if you
    want to be able to use "Remote Desktop Connection" without having to go
    through the website), and forward them to your server's IP Address (if
    you haven't done so, make your server a static IP instead of letting it
    "get one" from the router).
     
    It could also be the router causing the problem. Does unplugging the
    router, and plugging it back in about 20 seconds later fix the issue?
    You'll want to shut all of your computers down, then restart them after
    you've power-cycled the router/modem-- I usually start the server first,
    then any other computer with a static IP and then the rest in any order.
     
    If unplugging the router fixes the issue, then it's something to do with
    your router. You may want to find out which routers work best with WHS
    (I'm not sure myself as I'm going a different route altogether for my
    network).
     
    Hope this helps, and have a great day:)
    Patrick.
     
    --
    Smile... Someone out there cares deeply for you.
    Have you updated your OS and Antivirus today?
     

    Smile.. Someone out there cares deeply for you.
    Friday, June 11, 2010 3:49 PM
  • Hi again Patrick.

    I am very relieved to learn that 65.55.7.141 resolves to Microsoft (how did you determine this?) as it means I can rule out an attempted hacker attack.

    My router does support uPnP but I have still mapped TCP Lan ports 80,443,4125 to public ports 80,443,4125 for my WHS (which has a fixed internal IP address of 192.168.2.100.)

    The NAT mapping (after the shutdown, restart of the router, and restart of the server and my local machine) on the WHS machine shows 192.168.2.100 mapped to my external IP, pseudo Port 1527, PeerIP 65.55.7.141 (that one again!) and Peer Port 80. This all looks perfect, and I again have WHS access.

    Remote Access on the WHS console however says my server is not available from the internet, which is clearly false. Any idea why?

    OK, but I have already done this shutdown-restart process several times. Based on past experience, remote access will fail again in 24 - 36 hours. What on earth is WHS doing with this scan of hundreds of ports to 65.55.7.141? My router thinks it is something called SYN flooding and appears to shut down port forwarding.

    There is a firewall setting on the router called "TCP SYN Wait", currently set to 30 seconds. What is this, and do you think I can safely try to increase the setting without exposing myself to hackers?

    There is also something called "TCP FIN Wait", set to 5 seconds.

    Thanks again for your help.

    Friday, June 11, 2010 8:55 PM
  • Hi Patrick,

    Thanks for your help. How did you determine that 65.55.7.141 resolves to microsoft?

    Your suggested shutdown, router reboot, restart worked again as it has several times in the past. Based on past experience, though, it will fail again in 24 - 36 hours.

    Here are a couple of possible clues:

    • Even though I can again access WHS from the internet, Remote Access on the WHS console says that I cannot. (???)
    • My router firewall has a setting "TCP SYN Wait" that is currently set to 30 seconds. Given that the error message was "SYN Flooding", should I try increasing this limit? (It would be helpful to know why WHS is suddenly attempting to send stuff from hundreds of ports to 65.55.7.141)
    • There is also a firewall setting "TCP FIN Wait" that is set to 5 seconds. I can find no clue as to what this is.

    With regard to your configuration suggestions:

    • WHS has a fixed internal IP address of 192.168.2.100
    • The DHCP server is configured to assign addresses from 192.168.2.100 through 192.168.2.199
    • My router does support uPnP but I have still manually mapped the TCP Lan ports 80,443,4125 on 192.168.2.100 to the same public ports.
    Thanks again for your help
    Friday, June 11, 2010 9:08 PM
  • Remote Access on the WHS console will tell you, that no access from the Internet is available, if the router does not support loopback (access from within your LAN via Internet back into your LAN). So the verification fails, and you get the message.

    In this case you only can try from outside to access your WHS to ensure, that the port forwarding works.

    I am not sure about settings on the routers firewall, since my router does not invoke such settings. But it could well be the cause for the dynamic dns service failing to reregister. If your router supports this, you could try to disable the firewall functionality for all outgoing traffic. (Or the firewall special functions of the router in total, since there is still NAT translation as borderline between the internal and external network blocking access from outside and the clients + WHS should have their own Windows Firewall on top.)

    Best greetings from Germany
    Olaf

    Friday, June 11, 2010 9:18 PM
    Moderator
  • Hi Patrick,

    Thanks for your help. How did you determine that 65.55.7.141 resolves to microsoft?

    Your suggested shutdown, router reboot, restart worked again as it has several times in the past. Based on past experience, though, it will fail again in 24 - 36 hours.

    Here are a couple of possible clues:

    • Even though I can again access WHS from the internet, Remote Access on the WHS console says that I cannot. (???)
    • My router firewall has a setting "TCP SYN Wait" that is currently set to 30 seconds. Given that the error message was "SYN Flooding", should I try increasing this limit? (It would be helpful to know why WHS is suddenly attempting to send stuff from hundreds of ports to 65.55.7.141)
    • There is also a firewall setting "TCP FIN Wait" that is set to 5 seconds. I can find no clue as to what this is.

    With regard to your configuration suggestions:

    • WHS has a fixed internal IP address of 192.168.2.100
    • The DHCP server is configured to assign addresses from 192.168.2.100 through 192.168.2.199

     

    You should change your configuration so that there are no static IPs in the DHCP IP pool (either move your server down to .99 or start your pool at .101).
    • My router does support uPnP but I have still manually mapped the TCP Lan ports 80,443,4125 on 192.168.2.100 to the same public ports.
    Thanks again for your help
    Friday, June 11, 2010 11:00 PM
    Moderator
  • Hi Roger, My answers will be inline with your quotes (if this works
    properly at least)...
     
    On 6/11/2010 3:55 PM, Roger1244 wrote:
    > Hi again Patrick.
    >
    > I am very relieved to learn that 65.55.7.141 resolves to Microsoft (how
    > did you determine this?) as it means I can rule out an attempted hacker
    > attack.
    >
     
    I went to the site http://www.arin.net and in the upper right hand
    corner, I put the IP address in the box marked "WHOIS" and had it check.
    Whois basically will find out who an IP is registered to.
     
    > My router does support uPnP but I have still mapped TCP Lan ports
    > 80,443,4125 to public ports 80,443,4125 for my WHS (which has a fixed
    > internal IP address of 192.168.2.100.)
    >
    > The NAT mapping (after the shutdown, restart of the router, and restart
    > of the server and my local machine) on the WHS machine shows
    > 192.168.2.100 mapped to my external IP, pseudo Port 1527, PeerIP
    > 65.55.7.141 (that one again!) and Peer Port 80. This all looks perfect,
    > and I again have WHS access.
    >
    > Remote Access on the WHS console however says my server is not available
    > from the internet, which is clearly false. Any idea why?
    >
     
    Olaf answered this one. When your server "phones home" it does three
    things. It checks to see if you can access the server from your local
    network (the 192.168.1.x IP addresses), then it checks to see if it can
    configure the router uPnP and sends the current IP Address from your
    network (what the Internet sees you as--from your modem usually) to
    Microsoft. Then it checks to see if it can access your server from the
    Internet.
     
    As Olaf recommended, you can try going to your server from a computer
    outside of your home network. If it works, then you can ignore the
    issue. However, if it doesn't, then you need to find out why.
     
    One possible reason is that your router and modem aren't "playing
    nicely" with each other. Your router may need a certain type of
    connection, and the modem and your Internet Provider may need a
    different type.
     
     
    > OK, but I have already done this shutdown-restart process several times.
    > Based on past experience, remote access will fail again in 24 - 36
    > hours. What on earth is WHS doing with this scan of hundreds of ports to
    > 65.55.7.141? My router thinks it is something called SYN flooding and
    > appears to shut down port forwarding.
    >
     
    SYN flooding sort of works like this... There's a type of protocol on
    the Internet called Transmission Control Protocol (TCP). Basically it's
    similar to you calling a phone operator and having them connect you to
    another person on the phone. The Syn packet is a synchronize packet to
    establish the connection.
     
    What's happening is that your server is sending out the SYN packets, and
    waiting for an ACK packet to come back (this tells your server that
    whereever it's trying to connect received the packet, and is ready for
    the next stage). It's not receiving these in the specific timeframe,
    and so it's sending out more SYN packets.
     
    In essence you're flooding the system with SYN Packets and creating a
    potential traffic jam (Denial of Service or Distributed Denial Of
    Service are two examples of these traffic jams).
     
    > There is a firewall setting on the router called "TCP SYN Wait",
    > currently set to 30 seconds. What is this, and do you think I can safely
    > try to increase the setting without exposing myself to hackers?
    >
     
    I'm not sure what the TCP SYN Wait does, so I don't want to recommend
    changing it. You could probably go to the manufacturer's website for
    your router and look there for information about it. As for the TCP FIN
    wait, I believe that's the packet (FIN) that your server sends out to
    tell the other connection that it's finished transmitting. So, I
    wouldn't worry about it.
     
    > There is also something called "TCP FIN Wait", set to 5 seconds.
    >
    > Thanks again for your help.
    >
     
    Sorry for the long drawn out answers, and the lessons in basic
    networking. I'm a believer in explaining why the answers are, so you
    understand it better.
     
    Have a great day:)
    Patrick.
     
    --
    Smile... Someone out there cares deeply for you.
    Have you updated your OS and Antivirus today?
     

    Smile.. Someone out there cares deeply for you.
    Saturday, June 12, 2010 12:09 AM
  • On 6/11/2010 4:08 PM, Roger1244 wrote:
    > Hi Patrick,
    >
    > Thanks for your help. How did you determine that 65.55.7.141 resolves to
    > microsoft?
    >
    > Your suggested shutdown, router reboot, restart worked again as it has
    > several times in the past. Based on past experience, though, it will
    > fail again in 24 - 36 hours.
    >
    > Here are a couple of possible clues:
    >
    > * Even though I can again access WHS from the internet, Remote
    > Access on the WHS console says that I cannot. (???)
    > * My router firewall has a setting "TCP SYN Wait" that is currently
    > set to 30 seconds. Given that the error message was "SYN
    > Flooding", should I try increasing this limit? (It would be
    > helpful to know why WHS is suddenly attempting to send stuff from
    > hundreds of ports to 65.55.7.141)
    > * There is also a firewall setting "TCP FIN Wait" that is set to 5
    > seconds. I can find no clue as to what this is.
    >
    > With regard to your configuration suggestions:
    >
    > * WHS has a fixed internal IP address of 192.168.2.100
    > * The DHCP server is configured to assign addresses from
    > 192.168.2.100 through 192.168.2.199
    > * My router does support uPnP but I have still manually mapped the
    > TCP Lan ports 80,443,4125 on 192.168.2.100 to the same public ports.
    >
    > Thanks again for your help
     
    Hi Roger,
     
    Two things that I'll mention here. The reason that it's trying to
    hit 65.55.7.141 from every port is once it doesn't get through on the
    port it's trying, it tries another one (on the chance that the first
    port is blocked or being used by something else).
     
    The second thing is that you may want to change the assigned IP's to
    101 to 199. You don't want your server's IP address in the list that
    the router can give out to other computers. While it's rare, there is a
    possibility that your server will lose it's IP address to another
    computer. Try changing the assigned IP's and see if that fixes anything.
     
    Hope this helps, and have a great day:)
    Patrick.
     
    --
    Smile... Someone out there cares deeply for you.
    Have you updated your OS and Antivirus today?
     

    Smile.. Someone out there cares deeply for you.
    Saturday, June 12, 2010 12:16 AM
  • I'll never be someone who complains  about "long drawn out explainations" or  "lessons in basic networking":-)

    Given how incomplete and confusing a lot of other posts about remote access have been, this thread ought to be pinned somewhere so that people who run into this in the future can easily find it.

    Thanks very much to everyone for your time. Thanks to all of you, I think I have a clearer understanding of what is going on and that will help me with further investigation. I'll come back with another post with any conclusions or clear solution.

    Saturday, June 12, 2010 6:45 PM