Recent TCP no-Flag attacks
Recent TCP no-Flag attacks
Starting a few days ago, I have been receiving many, "Router/Gateway detected TCP no-Flag attack and dropped x packets" warnings. Yesterday, I received (33). As of 10:13 today, I've received (15). I don't know where these errors are coming from and do not know why they started recently after many months of no occurrences.
My full list of Omada equipment is in my signature. Any suggestions are welcome.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
According to the email I received from support - and as was mentioned earlier in this thread, the router does not currently have the capability to indicate the IP source (internal or external). They, therefore, suggest that we use Wireshark to capture packets to determine the source. To do this, we need to connect a PC to the router and set port mirroring on the router to capture packets. For details, on how to do this we can refer to https://www.tp-link.com/en/support/faq/3235/. They also said that "the mirrored port selects the wan port and the port connected to the router and switch at the same time". That's unclear to me, but I'm sure they'll tell me about that when they respond.
I have been playing with Wireshark, but I'm not very knowledgeable at this point. So, I responded that, according to the linked instructions, it appeared that I needed to do the above with the TL-R605's built-in UI (and not the OC200's). If I read that correctly, I'd have to make the OC200 'forget' the router first. I may have read the instructions incorrectly, but I'm sure they'll let me know about that too.
- Copy Link
- Report Inappropriate Content
Thanks for the detailed answer.
Very complicated indeed.
I'd rather don't want to mess with my working configuration (forget OC200, R605 built-in UI,...)
Some people say not to worry because the firewall does the job but i'm not comfortable with that approach.
It's also rather strange that the same problem occurs at the same moment with different people.
- Copy Link
- Report Inappropriate Content
A quick clarification update: Support responded and it turns out that you do not need to have the OC200 forget the router. The port mirroring needed can be done through the OC200 to the router. However, the PC or laptop with Wireshark loaded on it must be connected directly to an open LAN port on the router.
With that in mind, I'll read the rest of the instructions at https://www.tp-link.com/en/support/faq/3235/ tomorrow.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi All,
Please follow the post below for the available solution:
Solution to ER605 V1 1.3.0 Firmware Got Many Logs of "TCP no-Flag attack" Issue
- Copy Link
- Report Inappropriate Content
Although it's great that the support engineers found that the issue reported here and elsewhere, is that the log recognition mechanism was changed in version 1.3.0 - and that it will be corrected in the next version of the ER605 firmware, I don't think that temporarily disabling the "Block TCP Scan (Stealth FIN/Xmas/Null)" defense option is a sound resolution. As I understand it, turning this option off defeats the actual defense mechanism and does not just turn off the log warnings. It would then permit any real attacks of this type to be allowed into my system - not at all an optimal solution. So, I will leave my settings as they are and try to ignore the excessive and incorrect warnings until the firmware is fixed. If a beta or pre-release firmware version that addresses this issue safely and correctly is released prior to the next official firmware version, please let me know so that I can more safely address this issue.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 3508
Replies: 17
Voters 0
No one has voted for it yet.