Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
I have a system consisting of an ER605 router, a TL-SG2008 switch and an EAP610 AP, all with an omada controller software version 5.12.7, and every 10 minutes I receive a notification: "Router Omada Detected TCP SYN packets attack and dropped xxx packages." How can I solve this problem?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@Sadiqus I have ER605 v2 and I just "upgraded" from 2.1.2 to 2.2.3 and now I have the same issue, Router Detected TCP SYN packets attack and dropped xxx packets every 10 minutes.
At least it seems to have fixed the "ping attacks" from all of my Ring cameras. I step forward, 2 steps back.
- Copy Link
- Report Inappropriate Content
@Clive_A I've also had the same alerts since updating my router firmware. Router is ER7206 V1 firmware 1.4.0, and I'm not running any external servers but do have DynDNS. I've turned off TCP SYN Flood attack detection, and have tried it on with the threshold at 1000, with no change in detection. The alerts started exactly 10 minutes after the firmware update. These are very unlikely real attacks, as it has been going for weeks. Is there a way to release the WAN address with the ISP DHCP to force a new IP address? This might help identify if there are actual attacks to the IP address.
- Copy Link
- Report Inappropriate Content
JoeSea wrote
@Clive_A I've also had the same alerts since updating my router firmware. Router is ER7206 V1 firmware 1.4.0, and I'm not running any external servers but do have DynDNS. I've turned off TCP SYN Flood attack detection, and have tried it on with the threshold at 1000, with no change in detection. The alerts started exactly 10 minutes after the firmware update. These are very unlikely real attacks, as it has been going for weeks. Is there a way to release the WAN address with the ISP DHCP to force a new IP address? This might help identify if there are actual attacks to the IP address.
So I accidentally closed the tab where I had typed a lot. I will not go in detail about this.
So you look for solutions, you got two. Either turn off the notification on the log but it still happens. Or you can Wireshark to find out. That are the two solutions for this thread.
I have explained this but no one seems to listen. This indeed might be a false alarm. No one cares to learn about the reason behind. I hope to see people improve their troubleshooting and network skills from the forum but they just ask and wait for the answers.
When we don't have this feature before, they ask for it because it looks pro. When we add it, they panic and freak out for answers. The system should record what happened for debug or troubleshooting and it is the reason why we add more and more features and minor details to enhance the system overall.
We renew the IP if it is time to renew. There is no option to guarantee a new IP yet. You might reboot so it requests a new IP address or you manually disconnect and connect from the web UI.
If the ISP still assigns the same IP to you, you should feel lucky. People ask for static IP even if they use dynamic IP as the connection type.
- Copy Link
- Report Inappropriate Content
To anyone who's looking at this,
To fix this issue, set the Block TCP scan with RST disabled.
- Copy Link
- Report Inappropriate Content
Clive_A wrote
To anyone who's looking at this,
To fix this issue, set the Block TCP scan with RST disabled.
Aparently it's a good solution.
- Copy Link
- Report Inappropriate Content
Appart from the SYN attacks keep coming.
edit: no it works, still would like to now what caused it though .
- Copy Link
- Report Inappropriate Content
Aparently
What is TCP scan with RST? TCP Connect Scan
If the port is open, the target will send back a TCP SYN-ACK packet, indicating a willingness to establish a connection. The scanner then sends a TCP RST packet to close the connection. If the port is closed, the target will send back a TCP RST packet, indicating a refusal to connect.
What caused....?! I don't know, maybe in the fluture we get an answer!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 3
Views: 7738
Replies: 17
Voters 2
