"detected WAN Ping attack from xxx.xxx.xxx.xxx"
"detected WAN Ping attack from xxx.xxx.xxx.xxx"
I have Omada SDN 5.9.31.
Is there anything else I should do like changing the setting inside Setting > Network Security? The settings are Default from installation.
5 different IPs attack from WAN.
UPDATE on 2023-10-31:
New spamming IPs other than the original post IP addresses.
These random IPs now are from 159.138.0.1/23 and 101.44.0.1/23 and 47.236.0.1/23. They are from Huawei HongKong Clouds, HUAWEI CLOUDS and Alibaba Cloud LLC. I guess someone on my network is using Chinese techs.
So I had update my Public IP and these IP address list to block these IPs from WAN constantly.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @YuukiA
WAN IN ACL, use network group for directions. SRC is the U.S IP range and DST your WAN IP. Will it block that? No more logs?
- Copy Link
- Report Inappropriate Content
Are the IP addresses internal or external?
Example, internal Class C, 192.168.1.XXX.
I have many sites with many routers setup now. Most get this message, but with public IP's. I have 2 sites setting behind ATT modems that can't do true bridging. They do get public IPs and proper NAT. But I see many of these alerts, with the private IP of the modem.
detected WAN Ping attack from 192.168.0.254 ( 0.254 is the IP of the ATT modem ).
So, I'm just wondering if all your "from " IPs are publics or if some are internal.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi @YuukiA
Thanks for posting in our business forum.
Does this have a negative effect on your network? If yes, then you should consider adding an ACL rule to block them.
Have you tried to pinpoint the source of these IP addresses? Known or unknown? Geo IP of them?
What I can tell is that someone tried to ping you, or attack you by flooding with ping. Could be DDOS.
The router itself can identify and block them. Unless there is a serious and negative effect on your network, you don't have to worry too much.
If you have port forwarding rules, you probably should set up authentication for your services.
Common network attack would be ping first, and, next, scan ports, and if the port is open and without any security, there is a danger that they break in your network and pose a threat.
- Copy Link
- Report Inappropriate Content
> Does this have a negative effect on your network?
Not really sure yet. But this morning at 7 AM, my ER605 v2 is completed disconnected on the system. I did not realize this until 7 PM. I rebooted the entire system from router, switch, raspberry pi, etc. And another WAN Ping attack (around 7:36 PM) is logged in my event from another unknown IP address.
---
> If yes, then you should consider adding an ACL rule to block them.
Working on now. Looking for a guide on this right now.
> Have you tried to pinpoint the source of these IP addresses? Known or unknown? Geo IP of them?
All came from Amazon and U.S based country.
> If you have port forwarding rules, you probably should set up authentication for your services.
I do not have port forwarding on this network.
- Copy Link
- Report Inappropriate Content
Hi @YuukiA
WAN IN ACL, use network group for directions. SRC is the U.S IP range and DST your WAN IP. Will it block that? No more logs?
- Copy Link
- Report Inappropriate Content
> WAN IN ACL, use network group for directions. SRC is the U.S IP range and DST your WAN IP. Will it block that? No more logs?
So in Network Security > ACL > Gateway ACL
Here are what I have selected.
Testing IP here is one of the WAN ping attacked - `52.39.209.232`
Source | IP-Group | `52.39.209.232`
Destination | IP-Group | Not really what you mean by WAN IP (my public IP) or Gateway Management Page...
I have over 25 unique IP address attacks so I know to put those IP in the Source.
Please check if this is the proper config for this.
- Copy Link
- Report Inappropriate Content
Hi @YuukiA
Yup. So, your WAN IP is a public one. So you can create a group for it and set it to DST. And then you can monitor in the next few days to see what happens.
- Copy Link
- Report Inappropriate Content
Update: I can't tell if they stopped the attacks or my ISP moved the public IP so they attacked another WAN IP, instead of just my current WAN IP.
I couldn't tell if the Gateway ACL is working as intended. Thanks for the help.
- Copy Link
- Report Inappropriate Content
I am curious why the feature "Stop ping from WAN" (in Network Security>Attack Defense>Packet Anomaly Defense) didn't work or wasn't recommended. Also, what would you use for that ACL rule DST if the WAN IP isn't static?
- Copy Link
- Report Inappropriate Content
terapico wrote
I am curious why the feature "Stop ping from WAN" (in Network Security>Attack Defense>Packet Anomaly Defense) didn't work or wasn't recommended. Also, what would you use for that ACL rule DST if the WAN IP isn't static?
block ping from wan is blocking all ping with/without any load. sometimes, you wanna test if your router is online or available on the internet, so you don't want it to be un-ping-able.
if you enable block large ping, it blocks ping with large loads.
https://community.tp-link.com/en/business/forum/topic/618780
does you isp often change your ip address to a different subnet? yo can probably set it up your isp subnet as dst.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 2
Views: 8057
Replies: 12