Upload speed dead

[Sufer]

I have a Zyxel 2606 modem/router. To that router I have connected a Cisco 160N. I reset the Zyxel and then after a few days the upload speed completly dies. Download speed remains at 12mbs. If I reset the Zyxel the problem is solved for two days. An other solution is to take out the Cisco and the the upload speed is also OK. However I need the CIsco as I need the extra wireless range. Anybody have any ideas what is going on?

 

[ntadmin101]

I have a Zyxel 2606 modem/router. To that router I have connected a Cisco 160N. I reset the Zyxel and then after a few days the upload speed completly dies. Download speed remains at 12mbs. If I reset the Zyxel the problem is solved for two days. An other solution is to take out the Cisco and the the upload speed is also OK. However I need the CIsco as I need the extra wireless range. Anybody have any ideas what is going on?

Just a stab in the dark, but it sounds like the Cisco is stepping on the zytel, can you toss a hub between the Cisco and zytel, then plug in another machine into the hub and use a packet sniffer to see if it's flooding the zytel. Also, is the upload speed dead for two days when connected directly to the Zytel, or the wireless or both? If you want to post a link to the online manual of both devices I'll look through them to see if there is anything that jumps out at me.

 

[Sufer]

ntadmin,
i was looking thru the log on the Zyxel and saw that it is registering SYN FLOOD TCP ATTACK. I am definetly not a network expert but have tried googling but could not really get info on how to avoid it. I am certain I do not have a virus.

11/17/2009 14:00:06 VoIP Call Start Ph[1] -> xxxxxxxxxxxxTraffic Log
48 11/17/2009 13:50:49 syn flood TCP 192.168.1.35:49289 167.202.214.30:80 ATTACK
49 11/17/2009 13:30:21 syn flood TCP 192.168.1.36:53092 76.13.62.84:80 ATTACK
50 11/17/2009 13:30:21 syn flood TCP 192.168.1.36:53090 76.13.62.84:80 ATTACK
51 11/17/2009 13:30:21 syn flood TCP 192.168.1.36:53088 76.13.62.84:80 ATTACK
52 11/17/2009 13:30:21 syn flood TCP 192.168.1.36:53087 76.13.62.84:80 ATTACK
53 11/17/2009 13:19:18 VoIP Call End Phone[1] Traffic Log
54 11/17/2009 13:19:01 VoIP Call Established Ph[1] <- xxxxxxxxxxxxTraffic Log
55 11/17/2009 13:18:53 VoIP Call Start from SIP[2] Traffic Log
56 11/17/2009 12:56:14 VoIP Call End Phone[1] Traffic Log
57 11/17/2009 12:55:57 VoIP Call Established Ph[1] -> xxxxxxxxTraffic Log
58 11/17/2009 12:55:45 VoIP Call Start Ph[1] -> xxxxxxxxTraffic Log
59 11/17/2009 12:53:41 VoIP Call End Phone[1] Traffic Log
60 11/17/2009 12:53:40 VoIP Call Start Ph[1] -> xxxxxxxxxxTraffic Log
61 11/17/2009 12:53:05 VoIP Call End Phone[1] Traffic Log
62 11/17/2009 12:53:04 VoIP Call Start Ph[1] -> xxxxxxxxxxxxTraffic Log
63 11/17/2009 12:05:27 syn flood TCP 192.168.1.36:52143 89.255.60.42:80 ATTACK
64 11/17/2009 12:05:27 syn flood TCP 192.168.1.36:52156 89.255.60.42:80 ATTACK
65 11/17/2009 12:05:27 syn flood TCP 192.168.1.36:52154 89.255.60.42:80 ATTACK
66 11/17/2009 12:05:27 syn flood TCP 192.168.1.36:52152 89.255.60.42:80 ATTACK
67 11/17/2009 12:00:29 syn flood TCP 192.168.1.36:51679 62.221.199.24:443 ATTACK
68 11/17/2009 11:33:54 syn flood TCP 192.168.1.36:50598 217.175.244.140:80 ATTACK
69 11/17/2009 11:33:54 syn flood TCP 192.168.1.36:50595 217.175.244.140:80 ATTACK
70 11/17/2009 11:33:54 syn flood TCP 192.168.1.36:50594 217.175.244.140:80 ATTACK
71 11/17/2009 11:33:54 syn flood TCP 192.168.1.36:50592 217.175.244.140:80 ATTACK

 

[ntadmin101]

ntadmin,
i was looking thru the log on the Zyxel and saw that it is registering SYN FLOOD TCP ATTACK. I am definetly not a network expert but have tried googling but could not really get info on how to avoid it. I am certain I do not have a virus.

11/17/2009 14:00:06 VoIP Call Start Ph[1] -> xxxxxxxxxxxxTraffic Log
48 11/17/2009 13:50:49 syn flood TCP 192.168.1.35:49289 167.202.214.30:80 ATTACK
49 11/17/2009 13:30:21 syn flood TCP 192.168.1.36:53092 76.13.62.84:80 ATTACK
50 11/17/2009 13:30:21 syn flood TCP 192.168.1.36:53090 76.13.62.84:80 ATTACK
51 11/17/2009 13:30:21 syn flood TCP 192.168.1.36:53088 76.13.62.84:80 ATTACK
52 11/17/2009 13:30:21 syn flood TCP 192.168.1.36:53087 76.13.62.84:80 ATTACK
53 11/17/2009 13:19:18 VoIP Call End Phone[1] Traffic Log
54 11/17/2009 13:19:01 VoIP Call Established Ph[1] <- xxxxxxxxxxxxTraffic Log
55 11/17/2009 13:18:53 VoIP Call Start from SIP[2] Traffic Log
56 11/17/2009 12:56:14 VoIP Call End Phone[1] Traffic Log
57 11/17/2009 12:55:57 VoIP Call Established Ph[1] -> xxxxxxxxTraffic Log
58 11/17/2009 12:55:45 VoIP Call Start Ph[1] -> xxxxxxxxTraffic Log
59 11/17/2009 12:53:41 VoIP Call End Phone[1] Traffic Log
60 11/17/2009 12:53:40 VoIP Call Start Ph[1] -> xxxxxxxxxxTraffic Log
61 11/17/2009 12:53:05 VoIP Call End Phone[1] Traffic Log
62 11/17/2009 12:53:04 VoIP Call Start Ph[1] -> xxxxxxxxxxxxTraffic Log
63 11/17/2009 12:05:27 syn flood TCP 192.168.1.36:52143 89.255.60.42:80 ATTACK
64 11/17/2009 12:05:27 syn flood TCP 192.168.1.36:52156 89.255.60.42:80 ATTACK
65 11/17/2009 12:05:27 syn flood TCP 192.168.1.36:52154 89.255.60.42:80 ATTACK
66 11/17/2009 12:05:27 syn flood TCP 192.168.1.36:52152 89.255.60.42:80 ATTACK
67 11/17/2009 12:00:29 syn flood TCP 192.168.1.36:51679 62.221.199.24:443 ATTACK
68 11/17/2009 11:33:54 syn flood TCP 192.168.1.36:50598 217.175.244.140:80 ATTACK
69 11/17/2009 11:33:54 syn flood TCP 192.168.1.36:50595 217.175.244.140:80 ATTACK
70 11/17/2009 11:33:54 syn flood TCP 192.168.1.36:50594 217.175.244.140:80 ATTACK
71 11/17/2009 11:33:54 syn flood TCP 192.168.1.36:50592 217.175.244.140:80 ATTACK

who on your network is 192.168.1.36? That machine is the origin of those syn flood packets.

Look at this:


49 11/17/2009 13:30:21 syn flood TCP 192.168.1.36:53092 76.13.62.84:80 ATTACK
that machine on your network is trying to attack yahoo in this log entry
192.168.1.36 opens up an outbound port of 53092 and sends it's data off to a website (port 80) on 76.13.62.84
Me thinks you have a zombie in house sir.

I need the exact model of that Zyxel or if you can provide me a link to admin guide. I searched their site and came up with nothing

 

[Sufer]

It is the P-2602HW-D1A.

I have just reinstalled Windows 7 and installed the MS secruity essentials instead of Norton Internet Secruity 2010.

192.168.1.36 is my PC. No porblems since I reinstalled yesterday. Will keep you posted.

Regards

Rob

 

[Sufer]

So i still have the same syn flood tcp attacks after having installed Win 7 again and first using MS secruity essentials and then reinstalling NIS 2010. When I take the Netgear out and go directly to the Zyxel the attacks stop. ?