Network flooded with SYN_SENT traffic this morning origination from cnPilot r200 and 201s

We woke up this morning to “Packet Loss” alarms from our Grafana instance. Internal routers were being overrun with traffic like this:
tcp 6 77 SYN_SENT src= dst= sport=32133 dport=28699 packets=1 bytes=60 [UNREPLIED] src= dst= sport=28699 dport=32133 packets=0 bytes=0 mark=0 use=1
tcp 6 76 SYN_SENT src= dst= sport=5233 dport=60120 packets=1 bytes=52 [UNREPLIED] src= dst= sport=60120 dport=5233 packets=0 bytes=0 mark=0 use=1
tcp 6 67 SYN_SENT src= dst= sport=54620 dport=21803 packets=1 bytes=60 [UNREPLIED] src= dst= sport=21803 dport=54620 packets=0 bytes=0 mark=0 use=1
tcp 6 55 SYN_SENT src= dst= sport=63160 dport=35927 packets=1 bytes=60 [UNREPLIED] src= dst= sport=35927 dport=63160 packets=0 bytes=0 mark=0 use=1
tcp 6 43 SYN_SENT src= dst= sport=30246 dport=65173 packets=2 bytes=120 [UNREPLIED] src= dst= sport=65173 dport=30246 packets=0 bytes=0 mark=0 use=1

Note the odd destination IP addresses. Routers are all running 4.7.1-B3. A reboot of the router stops the broadcast. See attached packet captures from the WAN port and internal ports of a representative router. We have approximately 500 cnPilot routers deployed. This traffic was coming from a small subset (approx. 22) randomly dispersed over our 20 tower sites and includes both r200 and r201.cnPilot Capture (746.1 KB)


Todd Wilson

1 Like

Hi Todd,
We are looking at your ticket. Can you eliminate clients from being the source of the SYN, by disconnecting all LAN & WiFi clients and then doing a packet capture from the WAN side on an affected device?

Also can you share the output of “cat /proc/net/ip_conntrack”.

From the techdump it did not seem that the CPU was too busy. Did you also observe any performance/connectivity problem ?

Are the units protected with safe admin passwords and controlled access from WAN side (limited allowed IPs that can access the device)? In general these would help.

ashutosh (1.9 MB)
trace.cap = capture of router with ongoing issue
trace-2.cap = same router with all wifi and hard-wired devices disconnected
trace-3.cap = same router with all wifi and hard-wired devices disconnected after reboot
cnPilot (24.8 KB)
Engineering file from same.
CPU load on this device was at or near 100%. The devices have a complex password but are configured with Public IP.

An update. Our firm has made the decision to abandon the cnPilot product line. This is due to three major issues that we faced this year: 1) necessity for customers to reboot routers several times per day to make wifi work, 2) 50% and 100% CPU bug, and 3) this botnet.

1 Like