Freedome for windows beta: kaspersky intrusion detection denial-of-service warnings when connected

When being connected to Finland via the windows beta version of Freedome Kaspersky Intrusion detection system logs a warning every few seconds that a (seemingly random) IP-Adress tried to SYN-flood my PC.

Is that somehow related to F-Secure-Freedome or is the VPN itself attacked by SYN-floods and redirects them to the connected users?

Best Answer

Comments

  • HessuHHessuH Posts: 24

    Because the VPN gateway acts as a NAT firewall, any SYN floods (or other connection attempts) from the outside won't be coming in via the VPN.

     

    But maybe some packets related to your own connections are somehow visible to the IDS software in a way that it gets confused. Could you send its log file, showing those packets, to [email protected], would be interesting to take a look at what is going on?

  • Inaktiv	res_0002	http://skuld.modthesims2.com/files/9/0/1/2/5/2/7/MTS_Raxdiam_1465166_TS4ModManager1.3.1.zip//TS4 Mod Manager.exe//? 	06.12.2014 18:25:03	not-a-virus:AdWare.MSIL.Kranet.qz	
    Inaktiv	173.194.112.24	173.194.112.24? 	06.12.2014 13:18:31	DoS.Generic.SYNFlood	
    Inaktiv	27.111.185.138	27.111.185.138? 	06.12.2014 13:18:22	DoS.Generic.SYNFlood	
    Inaktiv	134.170.189.4	134.170.189.4? 	06.12.2014 13:18:17	DoS.Generic.SYNFlood	
    Inaktiv	173.194.32.222	173.194.32.222? 	06.12.2014 13:17:57	DoS.Generic.SYNFlood	
    Inaktiv	88.198.27.50	88.198.27.50? 	06.12.2014 13:17:51	DoS.Generic.SYNFlood	
    Inaktiv	66.175.208.148	66.175.208.148? 	06.12.2014 13:17:47	DoS.Generic.SYNFlood	
    Inaktiv	134.170.120.152	134.170.120.152? 	06.12.2014 13:17:35	DoS.Generic.SYNFlood	
    Inaktiv	54.230.98.107	54.230.98.107? 	06.12.2014 13:17:32	DoS.Generic.SYNFlood	
    Inaktiv	134.170.51.253	134.170.51.253? 	06.12.2014 13:17:13	DoS.Generic.SYNFlood	
    Inaktiv	72.14.247.65	72.14.247.65? 	06.12.2014 13:16:21	DoS.Generic.SYNFlood	
    Inaktiv	108.162.232.204	108.162.232.204? 	06.12.2014 13:16:01	DoS.Generic.SYNFlood	
    Inaktiv	23.235.43.175	23.235.43.175? 	06.12.2014 13:14:32	DoS.Generic.SYNFlood	
    Inaktiv	174.142.193.61	174.142.193.61? 	06.12.2014 13:14:30	DoS.Generic.SYNFlood	
    Inaktiv	80.239.216.128	80.239.216.128? 	06.12.2014 13:13:48	DoS.Generic.SYNFlood	
    Inaktiv	69.171.237.20	69.171.237.20? 	06.12.2014 13:13:37	DoS.Generic.SYNFlood	
    Inaktiv	54.231.14.225	54.231.14.225? 	06.12.2014 13:13:32	DoS.Generic.SYNFlood	

    Log as screenshot: http://prntscr.com/5fnncz

     

    That's all AV and Firewall-Log-Entrys from Kaspersky for that date. All the SYN-Flood logs came when being connected to freedome (to finland) and stopped when not being connected. Today (and some days before) I have no problems when using it. So I think that could be False-Positives.

     

    The first log is a blocked Web-Download due to adware, which were logged before being connected to finland.

  • ChrissyChrissy Posts: 438
    Hi cheaty!

    Just a quick note to let you know our spam detector had misidentified your last post as spam, and I've just released it... apologies for that!

    @HessuH could you please follow-up when you get a chance? :)
    cheaty
  • Recognized that Behaviour only after installing Freedome beta, if it runs directly after installation and connects, Kaspersky is logging DoS SYN-Attacks, if the system is rebooted and (in my case) Freedome is connected automatically at boot, Kaspersky doesn't logs SYN-Attacks...

  • A user from the forum came with the theory to me via Direct Message that Kaspersky could recognize an unusual traffic to one IP over one Port...

    If Freedome works with binding every traffic to one IP and port (the one from the VPN server) that Kaspersky SYN-flood messages could really be false-positives.

    In another installation on a laptop the Kaspersky-Messages persist after a reboot - on other systems a reboot helped that Kaspersky doesn't marks every IP I surf through the VPN as "possible SYN-flood"...

This discussion has been closed.