kernel: TCP: Possible SYN flooding

[wyliec2]

This morning I logged onto my AC88U and it took a while to get into it. Once in, both CPUs were pegged at 100% and the System Log was full of these messages:

kernel: TCP: Possible SYN flooding on port 56293. Sending cookies.

I rebooted and it seems to be back to normal however I am still seeing bursts of the same message but with a different port number. They are not continuous but come in bursts of 10 or so.

I'm also seeing these messages too:

kernel: net_ratelimit: 7 callbacks suppressed

The number after net_ratelimit: is changing - 7, 10, 14, 11, etc.

Adding on Edit:
I'm running 384.13 and Diversion ad blocker
These messages are coming on exactly 1 minute intervals since I rebooted:
10:17:25
10:18:25
10:19:25
10:20:25
...
Any suggestions would be greatly appreciated.

TIA,
Wyatt

 

[ColinTaylor]

Are you doing anything that might require a very high number of incoming TCP connections, like running BitTorrent?

Look at the router's System Log -> Connections page to determine what is using that port.

 

[wyliec2]

Are you doing anything that might require a very high number of incoming TCP connections, like running BitTorrent?

Look at the router's System Log -> Connections page to determine what is using that port.

No BitTorrent or anything like that. I have a large number of 'smart home' devices - lights, plugs, thermostats, etc.

The port number in the message does not show up in the Connections page - I refreshed multiple times to see if it would show up but it never did.

Is there any way to track it down logging on to the router with a command line command??

Thanks for your reply and suggestions!!
Wyatt

 

[ColinTaylor]

Try looking at Network Tools > Netstat > Method=Netstat, Option=TCP sockets, Resolve name=No

If you still can't see it try changing the "Option" setting.

 

[wyliec2]

Try looking at Network Tools > Netstat > Method=Netstat, Option=TCP sockets, Resolve name=No

If you still can't see it try changing the "Option" setting.

OK, that command worked - I can see 4 different IP addresses associated with the port number 38071 which is flagged with the flooding message.

I was unplugging chunks of my network to see what impacted the messages. I have an AC3100 I'm using as an access point (nothing wired into it) and when I unplugged it, the messages stopped.

I plugged it back in and the messages resumed. I turned off the 2.4 Ghz radio and the messages stopped. I presume I can ignore the hardwired IP addresses associated with port 38071 since it seems the issue is with a device on the 2.4 Ghz network on the AC3100 (the 2.4 Ghz networks on the AC88U and AC3100 are separate SSIDs).

Thanks for your help - my network expertise doesn't go a lot deeper than ipconfig and tracert!!! I don't understand why there are 4 different IPs associated with the one port number....
Wyatt