Freedome for windows beta: kaspersky intrusion detection denial-of-service warnings when connected

When being connected to Finland via the windows beta version of Freedome Kaspersky Intrusion detection system logs a warning every few seconds that a (seemingly random) IP-Adress tried to SYN-flood my PC.

Is that somehow related to F-Secure-Freedome or is the VPN itself attacked by SYN-floods and redirects them to the connected users?

Best Answer

  • HessuHHessuH Posts: 24
    Accepted Answer

    If the IDS product really marks every IP you surf through the VPN as "possible SYN-flood", I'd diagnose that as a bug in the IDS product.


    It's probably not seeing your outogoing TCP SYN packets on the VPN interface, but it is seeing the TCP SYN ACK packets coming back from the servers you're surfing to. Those packets would then be unexpected (not responses to the TCP SYN packets sent by your computer), and could be plausibly marked as "possible SYN flood" or such.


    The VPN interface comes up later when the VPN is set up, and maybe the IDS product fails to notice the new interface, and does not start to look at outgoing packets on it. On the other installation, maybe the IDS gets the new interface, if the IDS starts up after the VPN is connected (start-up order at reboot may be different). Note that this is just speculation, based on the described symptoms.


    The NAT + firewall setup on the VPN gateway does not permit any incoming connections from the Internet to the VPN clients. If you can see that the "SYN flood" warnings are for web sites you visit (and some others for web services used by other applications, or referred by those web sites for loading advertisements and such), it'd be quite clear that the IDS is malfunctioning.


  • HessuHHessuH Posts: 24

    Because the VPN gateway acts as a NAT firewall, any SYN floods (or other connection attempts) from the outside won't be coming in via the VPN.


    But maybe some packets related to your own connections are somehow visible to the IDS software in a way that it gets confused. Could you send its log file, showing those packets, to [email protected], would be interesting to take a look at what is going on?

  • Inaktiv	res_0002 Mod Manager.exe//? 	06.12.2014 18:25:03	not-a-virus:AdWare.MSIL.Kranet.qz	
    Inaktiv 	06.12.2014 13:18:31	DoS.Generic.SYNFlood	
    Inaktiv 	06.12.2014 13:18:22	DoS.Generic.SYNFlood	
    Inaktiv 	06.12.2014 13:18:17	DoS.Generic.SYNFlood	
    Inaktiv 	06.12.2014 13:17:57	DoS.Generic.SYNFlood	
    Inaktiv 	06.12.2014 13:17:51	DoS.Generic.SYNFlood	
    Inaktiv 	06.12.2014 13:17:47	DoS.Generic.SYNFlood	
    Inaktiv 	06.12.2014 13:17:35	DoS.Generic.SYNFlood	
    Inaktiv 	06.12.2014 13:17:32	DoS.Generic.SYNFlood	
    Inaktiv 	06.12.2014 13:17:13	DoS.Generic.SYNFlood	
    Inaktiv 	06.12.2014 13:16:21	DoS.Generic.SYNFlood	
    Inaktiv 	06.12.2014 13:16:01	DoS.Generic.SYNFlood	
    Inaktiv 	06.12.2014 13:14:32	DoS.Generic.SYNFlood	
    Inaktiv 	06.12.2014 13:14:30	DoS.Generic.SYNFlood	
    Inaktiv 	06.12.2014 13:13:48	DoS.Generic.SYNFlood	
    Inaktiv 	06.12.2014 13:13:37	DoS.Generic.SYNFlood	
    Inaktiv 	06.12.2014 13:13:32	DoS.Generic.SYNFlood	

    Log as screenshot:


    That's all AV and Firewall-Log-Entrys from Kaspersky for that date. All the SYN-Flood logs came when being connected to freedome (to finland) and stopped when not being connected. Today (and some days before) I have no problems when using it. So I think that could be False-Positives.


    The first log is a blocked Web-Download due to adware, which were logged before being connected to finland.

  • ChrissyChrissy Posts: 439
    Hi cheaty!

    Just a quick note to let you know our spam detector had misidentified your last post as spam, and I've just released it... apologies for that!

    @HessuH could you please follow-up when you get a chance? :)
  • Recognized that Behaviour only after installing Freedome beta, if it runs directly after installation and connects, Kaspersky is logging DoS SYN-Attacks, if the system is rebooted and (in my case) Freedome is connected automatically at boot, Kaspersky doesn't logs SYN-Attacks...

  • A user from the forum came with the theory to me via Direct Message that Kaspersky could recognize an unusual traffic to one IP over one Port...

    If Freedome works with binding every traffic to one IP and port (the one from the VPN server) that Kaspersky SYN-flood messages could really be false-positives.

    In another installation on a laptop the Kaspersky-Messages persist after a reboot - on other systems a reboot helped that Kaspersky doesn't marks every IP I surf through the VPN as "possible SYN-flood"...

This discussion has been closed.