Freedome for windows beta: kaspersky intrusion detection denial-of-service warnings when connected

cheaty

When being connected to Finland via the windows beta version of Freedome Kaspersky Intrusion detection system logs a warning every few seconds that a (seemingly random) IP-Adress tried to SYN-flood my PC.

Is that somehow related to F-Secure-Freedome or is the VPN itself attacked by SYN-floods and redirects them to the connected users?

[Deleted User]

Because the VPN gateway acts as a NAT firewall, any SYN floods (or other connection attempts) from the outside won't be coming in via the VPN.

 

But maybe some packets related to your own connections are somehow visible to the IDS software in a way that it gets confused. Could you send its log file, showing those packets, to freedome-feedback@f-secure.com, would be interesting to take a look at what is going on?

cheaty

Inaktiv	res_0002	http://skuld.modthesims2.com/files/9/0/1/2/5/2/7/MTS_Raxdiam_1465166_TS4ModManager1.3.1.zip//TS4 Mod Manager.exe//? 	06.12.2014 18:25:03	not-a-virus:AdWare.MSIL.Kranet.qz	
Inaktiv	173.194.112.24	173.194.112.24? 	06.12.2014 13:18:31	DoS.Generic.SYNFlood	
Inaktiv	27.111.185.138	27.111.185.138? 	06.12.2014 13:18:22	DoS.Generic.SYNFlood	
Inaktiv	134.170.189.4	134.170.189.4? 	06.12.2014 13:18:17	DoS.Generic.SYNFlood	
Inaktiv	173.194.32.222	173.194.32.222? 	06.12.2014 13:17:57	DoS.Generic.SYNFlood	
Inaktiv	88.198.27.50	88.198.27.50? 	06.12.2014 13:17:51	DoS.Generic.SYNFlood	
Inaktiv	66.175.208.148	66.175.208.148? 	06.12.2014 13:17:47	DoS.Generic.SYNFlood	
Inaktiv	134.170.120.152	134.170.120.152? 	06.12.2014 13:17:35	DoS.Generic.SYNFlood	
Inaktiv	54.230.98.107	54.230.98.107? 	06.12.2014 13:17:32	DoS.Generic.SYNFlood	
Inaktiv	134.170.51.253	134.170.51.253? 	06.12.2014 13:17:13	DoS.Generic.SYNFlood	
Inaktiv	72.14.247.65	72.14.247.65? 	06.12.2014 13:16:21	DoS.Generic.SYNFlood	
Inaktiv	108.162.232.204	108.162.232.204? 	06.12.2014 13:16:01	DoS.Generic.SYNFlood	
Inaktiv	23.235.43.175	23.235.43.175? 	06.12.2014 13:14:32	DoS.Generic.SYNFlood	
Inaktiv	174.142.193.61	174.142.193.61? 	06.12.2014 13:14:30	DoS.Generic.SYNFlood	
Inaktiv	80.239.216.128	80.239.216.128? 	06.12.2014 13:13:48	DoS.Generic.SYNFlood	
Inaktiv	69.171.237.20	69.171.237.20? 	06.12.2014 13:13:37	DoS.Generic.SYNFlood	
Inaktiv	54.231.14.225	54.231.14.225? 	06.12.2014 13:13:32	DoS.Generic.SYNFlood	

Log as screenshot: http://prntscr.com/5fnncz

 

That's all AV and Firewall-Log-Entrys from Kaspersky for that date. All the SYN-Flood logs came when being connected to freedome (to finland) and stopped when not being connected. Today (and some days before) I have no problems when using it. So I think that could be False-Positives.

 

The first log is a blocked Web-Download due to adware, which were logged before being connected to finland.

[Deleted User]

Hi cheaty!

Just a quick note to let you know our spam detector had misidentified your last post as spam, and I've just released it... apologies for that!

@HessuH could you please follow-up when you get a chance?

cheaty

Recognized that Behaviour only after installing Freedome beta, if it runs directly after installation and connects, Kaspersky is logging DoS SYN-Attacks, if the system is rebooted and (in my case) Freedome is connected automatically at boot, Kaspersky doesn't logs SYN-Attacks...

cheaty

A user from the forum came with the theory to me via Direct Message that Kaspersky could recognize an unusual traffic to one IP over one Port...

If Freedome works with binding every traffic to one IP and port (the one from the VPN server) that Kaspersky SYN-flood messages could really be false-positives.

In another installation on a laptop the Kaspersky-Messages persist after a reboot - on other systems a reboot helped that Kaspersky doesn't marks every IP I surf through the VPN as "possible SYN-flood"...

[Deleted User]

If the IDS product really marks every IP you surf through the VPN as "possible SYN-flood", I'd diagnose that as a bug in the IDS product.

 

It's probably not seeing your outogoing TCP SYN packets on the VPN interface, but it is seeing the TCP SYN ACK packets coming back from the servers you're surfing to. Those packets would then be unexpected (not responses to the TCP SYN packets sent by your computer), and could be plausibly marked as "possible SYN flood" or such.

 

The VPN interface comes up later when the VPN is set up, and maybe the IDS product fails to notice the new interface, and does not start to look at outgoing packets on it. On the other installation, maybe the IDS gets the new interface, if the IDS starts up after the VPN is connected (start-up order at reboot may be different). Note that this is just speculation, based on the described symptoms.

 

The NAT + firewall setup on the VPN gateway does not permit any incoming connections from the Internet to the VPN clients. If you can see that the "SYN flood" warnings are for web sites you visit (and some others for web services used by other applications, or referred by those web sites for loading advertisements and such), it'd be quite clear that the IDS is malfunctioning.