Jump to content

Network Attack Detected-Solution for DoS.Generic.Flood.TCPSYN


Go to solution Solved by Flood and Flood's wife,

Recommended Posts

The AK Wombat
Posted

I am running windows 10 and using Kaspersky Antivirus Ver 21.2.10.391.

Starting on Jan 02, 2023 I have been receiving Network Attack Detected/Blocked notifications from Kaspersky. It is a Dos.Generic.Flood.TCPSYN that has been occurring about every two minutes. It started from one IP address until today when I restarted my computer then it has been coming from two different IP addresses consistently.

Is there a solution to stop this?

Is my computer at risk? I disconnected it from the internet.

Is it possible that this is a false positive?

I have attached a screen shot of the report.

Thanks for the help,

Dustin

Screenshot 2023-01-04 13.14.49.png

Screenshot 2023-01-04 13.14.37.png

  • Solution
Flood and Flood's wife
Posted (edited)

Hello @AK Wombat, Dustin, 

Welcome!

A. 

  1. Kaspersky's generic information about: DOS.GENERIC.FLOOD.TCPSYN.
  2. If the attack comes from your network, possibly from a printer or NAS or similar - Kaspersky Lab can do nothing but block it; Kaspersky support https://support.kaspersky.com/b2c#contacts, can investigate, if required... Noting only Kaspersky Virus Lab experts can analyse & determine false positives. 
  3. In the KAV Network Attack Blocker report, check from which IP address and on which port the request is coming from please - those images are impossible to see?
  4. Read topic: Network attack from printer, by Chris B, it covers quite a lot, it may provide some context?.
  5. Read the commentary from Moderator @Schulte, in topic: DoS.Generic.Flood.TCPSYN Network Attack, in reply to a question from @sibhow. The topic is in the German language section, use an online translator if required please. 

B. 

Actions to take:

Before doing 1. make sure you have the router / modem password 

  1. Reset Modem / Router. 
  2. Create a new Modem / Router password - create a strong password, use uppercase and lowercase letters, digits, and special characters. 
  3. Post back the IP & port information please? 

Thank you?
Flood?+?

Edited by Flood and Flood's wife
Set A -> Modified 5. || clarified 2.
The AK Wombat
Posted

 

Thanks for the response.

After reading your recommended articles, I started suspecting my printer(s)

I have three different printers/scanners connected to my network.  I disconnected all of them and have not had any additional attacks.

I am putting them back online one at a time to find the culprit.

Since the IPs are likely within my network, is it a bad Idea to post them publicly?

  • Thanks 1
Flood and Flood's wife
Posted (edited)
1 hour ago, The AK Wombat said:
  • After reading your recommended articles, I started suspecting my printer(s)

I have three different printers/scanners connected to my network.  I disconnected all of them and have not had any additional attacks.

I am putting them back online one at a time to find the culprit.

  1. Since the IPs are likely within my network, is it a bad Idea to post them publicly?

Hello @The AK Wombat

You're most welcome!

Thank you for posting back & the additional information, we're glad to read you're closer to finding the source, well done?

  1. First 6 digits would be useful please? 
  2. And port info please? 
  3. IF, after (your) troubleshooting, you think KAV is misreporting, Export KAV settings, Restore KAV settings, shutdown the computer using Shutdown, not Restart, power on by pressing the power button, login, monitor for the DoS.Generic.Flood.TCPSYN events? 

Thank you?
Flood?+?

Edited by Flood and Flood's wife
Added 3.
The AK Wombat
Posted

fe80::6ec2:

fe80::3224:

port 5357

  • Thanks 1

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...