Possible SYN flooding

[cdikland]

My system log lately has been filling with the following entries:

kernel: TCP: Possible SYN flooding on port 43875. Sending cookies

When I google this text many pages suggest this maybe be some malicous activity (DOS) but I cant understand any of the suggestions on how do go about determining the source and/or fixing this problem. I hoping soneone here can provide me with some clear instructions

My router is an AC68U running Merlin FW 384.8.2

 

[EmeraldDeer]

I have no experience with this, but the first thing I would do is go to Network Tools --> Netstat and run a netstat when the kernel message occurs. Look for entries with a state status like "SYN". Note the source and destination addresses and maybe even the program name.

 

[cdikland]

Making some progress although no sure of my findings. Running netstat I could not find any entry containing SYN but lots of entries with the same port number as in flooding on port n . Each entry pointed to two ip addresses on my wifi which belonged to 2 Wemo Mini Plugs. I disconnected them and havent seen the SYN log entry for nearly an hour. I'll wait an other hour or two and plug them back into see if the messages re-appear.

The things I dont understand is, I have had these two plugs for well over 1 year and the issue appears to only surfaced in the last few week. Besides these plugs I have about 15 other types of wemo sockets and switches. None of them appear to be generating these SYN log entries.

It also appears that sometime after when this SYN messages appear my download speed is cut by 1/3. This reduction is consistent each time (i.e Normal download=270mb, After SYN=90) A reboot of the modem (& router) almost always resolves the problem albeit temporarily.