Is My Laptop DDoSing Me?

I have a weird problem on my home network at present where I lose my DSL connection at frequent intervals. I checked the logs on the router and it appears that there's a SYN FLOOD going on originating from my laptop.

Here's the setup. I have a wireless router downstairs connected to my DSL line. It's also connected directly to my main PC upstairs via a long cat5 cable. Upstairs is a wireless access point. Generally my MacBook Air is connected wirelessly as well as a small selection of other things such as my phone, my Kindle, visitor's computers etc.

Here's a chunk of logs:

The address 192.168.2.100 is the LAN address that is assigned to my laptop. I set up static DHCP rules for most of my stuff to avoid problems.

So since yesterday I keep getting kicked off anything that requires a consistent connection - online games, chat clients, etc. Whenever I do the log shows a whole bunch of SYN Flood results like those, always originating from my laptop. I'm not really techy enough to figure out what to do about that, I did some Googling and it appears that it can be a false alarm or it might not be. The laptop is running OSX 10.8.2 and the only thing I can think of that changed recently was that a visitor connected an iPhone and iPad into the network. Neither of those last things are assigned static network addresses.

What router hardware/software are you using?

The stateful inspection on a lot of home gateways is often slow and bad to begin with, but figuring out why it's decided to be touchy all of a sudden is gonna be the trick.

Where are those log entries from? The modem? Check to see if they appear before or after the connection drops.

On your laptop, leave this command running in a terminal: 'tcpdump -i en0 -q -n 'tcp[tcpflags] & tcp-syn != 0'
(where en0 is your internet interface, check 'ifconfig' if unsure)

The reason this is needed is your modem log paste doesn't explicitly mention how many SYN messages are coming through, so we can't tell if it's an overly-paranoid filter or an actual problem.

Also make sure your modem's clock is synced to your computer's if you want to try and do correlation between log entries from both sources.

The log entries are from the modem/router. It's an Easybox 802 running the latest firmware version (20.02.233).

Taking a quick nslookup at some of the IP's your machine is trying to connect to, it looks like you're hitting a bunch of DSL/cable IP's in Europe on port 80 and 443 (http and SSL ports). If you weren't using a mac I'd say you had a virus.

My only concern is that it's something recent. Most outbound SYN flood detection on consumer hardware is horrible and does more harm than good. And half time time they say "outbound SYN flood" when they just mean "I have more open ports than the firmware limit so I'm just gonna start dumping shit".

If they weren't mostly going to http ports, I'd almost say it looked like torrent traffic if they're hitting cable IPs.

Yeah Torrent was my first thought as well, but wrong ports.

There is a recent mac virus came in through Adobe, was right after the panic with java. Simple way to see if its from your mac, turn it off. Go do things on other connected devices. If you don't have the issue with it off the network ..the problem is located on the mac itself.
If the problem persists then it is either a connection issue (the dsl line dropping forcing reconnects.. it sometimes can look like a flood, but I don't feel that is the case), or a different device causing panic to the mac ip.

My gut feeling is compromised system.

Here's the hosts you're hitting (or the ones that returned a hostname at least)

This has got to be a virus trying to spread itself/hit command and control.

I seriously doubt it. Most of the recent malware is zapped by Xprotect in pretty short order.

What you're talking about didn't "come in through Adobe", it was a fake OS X Flash installer that was being passed around early last year that dumped a trojan. I can't see Iain downloading Flash from dubious sources, and if he's ran an update in the past eight months or so it's not a concern.

Actually, a lot of people use HTTP ports to get around port blocks. Some of the odder addresses could be overzealous DHT fetching from bad clients. Without seeing more logs it's hard to tell what's going on.

I've had the laptop turned off all afternoon (actually shutdown, not just with the lid closed) and things have been the same. Just before it dropped instead of getting a bunch of SYN Flood messages, I got this:

02/13/2013 16:52:48 sending ACK to 192.168.2.117
02/13/2013 16:52:47 sending OFFER to 192.168.2.117
02/13/2013 16:52:42 sending ACK to 192.168.2.117
02/13/2013 16:52:40 sending ACK to 192.168.2.117

That IP is my girlfriend's iPhone.

I was on a Skype call at the time and the line dropped several times within a few minutes. There were no other log entries however.

Those are just DHCP broadcasts, no biggie.

How do you have your static IPs assigned? Is your router set to assign them via DHCP, or are you just manually setting them on your client machines outside of your router's DHCP range? The fact that this started happening when you had a guest connect devices to your network makes me think this might be a LAN address issue.

I'm also assuming you've power cycled your network hardware. Also, just for gits and shiggles, disconnect your bridged WAP upstairs and see if anything changes.

The static IPs are assigned by MAC address in the DHCP settings. New things are given random addresses in a range that starts after the last static IP.

I've restarted the router a bunch of times. I can disconnect the WAP too. I'm shutting down as many things as possible at the moment to narrow down the problem.