NeoRouter clients DoS Attacking/SYN Flooding Server
Page 1 of 1

Author:  GreatMarko [ Sun Dec 20, 2015 6:27 pm ]
Post subject:  NeoRouter clients DoS Attacking/SYN Flooding Server

Hi All,
Long time user of NeoRouter Free, but a very strange issue has developed in the last couple of days; the device which acts as my NeoRouter "Server" has been DoS attacked/SYN Flooded by my NeoRouter "client" devices!

Here's an extract from the server's firewall log:
(where are the IP addresses of my various NeoRouter "clients")

Note as well from my screenshot the incremental port numbers? If I reboot a client device, the ports being "attacked" on my NR server seem to start around 1000. Several attacks occur every minute per client device.

The only way to stop these attacks is to stop the "NRClientService" Windows service on the various clients connecting to my NeoRouter server.

So my question is, why are my NR clients suddenly all attacking my NR server and trying to connect on infinitely incremental ports? The correct port for NR is open on the "server" (32976) as it's always been(as I say I've been using NR Free for years!), and no recent configuration changes have taken place.

Anti-Virus software is up-to-date on all my devices, my devices are clean, and again, I would also reiterate that the attacks cease if I stop the "NRClientService" Windows service on various client devices - so it's a specific NR issue.

Can anyone shed any light on this? ...and especially why clients are now trying to connect on every port incrementally?!

I've had to kill NR on my clients otherwise the server becomes inaccessible due to being DoS'd/SYN'd

Author:  kevinz [ Sun Dec 20, 2015 8:42 pm ]
Post subject:  Re: NeoRouter clients DoS Attacking/SYN Flooding Server

Hi GreatMarko,

Do you have a NR client installed on the same machine as NR server? Is it running?
Which OS do you use? Can you collect the log file of the nrservice and send it to us so that we can investigate it?

There is logic in the NeoRouter software to connect to the NR server on multiple ports. NR client service get the NR server listen port information from NR domain name and connects to the server; NR server should expose the listen port to the Internet only, instead of a port range.

KevinZ - NeoRouter team

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group