TCP SYN packets attack
TCP SYN packets attack
I understand this topic has been brought up multiple times re: the "TCP SYN packets attack" reoccurring at 10 minute intervals. I also understand that firmware updates have improved the ability of the device to recognize and report such events. The purpose of my post is to provide information from my attempts to sort out the specific cause of this reporting in my environment.
We have an OC200, ER7206 v1.0, TL-SG2008P v1.0, SG3428 v2.3, EAP115(US) v4.0 and two EAP620 HD(US) v3.0. All firmware current except the EAP620s which are on v1.2.3 (but soon to be on 1.2.5).
We installed Wireshark on a local PC and configured a LAN port on the ER7206 for port mirroring.
The IP address of our OC200 is 10.X.X.80 and the IP address of the Wireshark PC is 10.X.X.81.
Wireshark was setup to filter for "tcp:flags.reset==1".
Screenshots from January 4, 2024, beginning 10:28AM local time, and immediately after clearing all alerts and starting a new capture in Wireshark.
>>Controller Logs - Alerts
>> Wireshark capture
Screenshots from January 4, 2024, at 10:54AM local time.
>>Controller Logs - Alerts
>> Wireshark capture
Assuming I have Wireshark setup correctly for filtering (will readily admit I use it very little), I'm surprised the only packets I see captured are between the OC200 and the Wireshark PC. It also seems to me there is more than a strong correlation between the time of attack detection as reported in the OC200 log as compared to the captured packets at the Wireshark PC.
I turned off the "Block TCP Scan with RST" as suggested in this post: https://community.tp-link.com/en/business/forum/topic/637224?page=1.
And logging of the "attack" stopped while the RST captures continued in Wireshark.
I would certainly welcome any input or feedback.
Thanks!
Carl
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @clangren
Thanks for posting in our business forum.
Solution - TCP SYN Packet Attack After the Firmware Upgrade
I don't know if you port mirroring for this. So, I think it is not the same thing that was talked about in the TCP attack.
You are capturing the packets between the OC200 and your PC, what would it relate to the router under attack?
This RST is not your PC checking the router ingress or egress, so that does not make a question because it is wrong in the first place.
RST is also common and when you do a 443 access. It continued and is normal to me.
- Copy Link
- Report Inappropriate Content
Thank you for your response and input, much appreciated.
I am focused on trying to identify what was triggering the logged entries for TCP-SYN "attack".
Based on reading several other posts on the forum (https://community.tp-link.com/en/business/forum/topic/637224; https://community.tp-link.com/en/business/forum/topic/636216; and this new one https://community.tp-link.com/en/business/forum/topic/649386 ) it seems logical to conclude that trapping for RSTs could lead directly to the activity which is triggering the logged "attack".
From your response:
>> I don't know if you port mirroring for this.
>>>> I did have port mirroring configured. The OC200 (on MGMT vlan) was connected directly to the ER7206 on port LAN2 (port 6) with the PVID of my MGMT vlan. The port selected for mirroring was the WAN (port 2) and Mirror Mode was set to Ingress and Egress. I think this propagates a mirror of all WAN packets onto the MGMT vlan. The Wireshark report is from the MGMT vlan and filtered for "tcp:flags.reset==1". If any of those settings are incorrect I would welcome your input for correcting the settings.
>> So, I think it is not the same thing that was talked about in the TCP attack.
>>>> I believe the settings as noted above should capture all RST responses to any incoming packets which were originating from either 1)the WAN or 2)the MGMT vlan.
>> You are capturing the packets between the OC200 and your PC, what would it relate to the router under attack?
>>>> I believe you are saying packets between the OC200 and my PC should not relate to generating a reported log event for the router being under attack and I certainly agree with that assertion.
>>This RST is not your PC checking the router ingress or egress, so that does not make a question because it is wrong in the first place.
>>>> The only RST which were seen by Wireshark were not originating from the WAN. However, if my setup was correct, Wireshark was seeing all RST responses to the WAN or MGMT vlan. The RST seen by Wireshark were between the OC200 and the Wireshark PC, so if those local RST were the only RST which were occurring then they shound not trigger a log entry. As expected, the log entries which were recurring every 10 minutes did stop when RST in Attack Defense was disabled. However, if the only RST which were occurring were internal then turning off reporting for this event just hides the error in reporting.
In any event, it seems better from a security perspective to have the RST response off.
What might be more beneficial from a security perspecitve is to be able to log when the ER7206 would have sent an RST in response to a WAN packet but did not because RST response was diabled in Attack Defense.
Again, thanks for your time and input.
Carl
- Copy Link
- Report Inappropriate Content
Hi @clangren
Thanks for posting in our business forum.
clangren wrote
Thank you for your response and input, much appreciated.
I am focused on trying to identify what was triggering the logged entries for TCP-SYN "attack".
Based on reading several other posts on the forum (https://community.tp-link.com/en/business/forum/topic/637224; https://community.tp-link.com/en/business/forum/topic/636216; and this new one https://community.tp-link.com/en/business/forum/topic/649386 ) it seems logical to conclude that trapping for RSTs could lead directly to the activity which is triggering the logged "attack".
From your response:
>> I don't know if you port mirroring for this.
>>>> I did have port mirroring configured. The OC200 (on MGMT vlan) was connected directly to the ER7206 on port LAN2 (port 6) with the PVID of my MGMT vlan. The port selected for mirroring was the WAN (port 2) and Mirror Mode was set to Ingress and Egress. I think this propagates a mirror of all WAN packets onto the MGMT vlan. The Wireshark report is from the MGMT vlan and filtered for "tcp:flags.reset==1". If any of those settings are incorrect I would welcome your input for correcting the settings.
>> So, I think it is not the same thing that was talked about in the TCP attack.
>>>> I believe the settings as noted above should capture all RST responses to any incoming packets which were originating from either 1)the WAN or 2)the MGMT vlan.
>> You are capturing the packets between the OC200 and your PC, what would it relate to the router under attack?
>>>> I believe you are saying packets between the OC200 and my PC should not relate to generating a reported log event for the router being under attack and I certainly agree with that assertion.
>>This RST is not your PC checking the router ingress or egress, so that does not make a question because it is wrong in the first place.
>>>> The only RST which were seen by Wireshark were not originating from the WAN. However, if my setup was correct, Wireshark was seeing all RST responses to the WAN or MGMT vlan. The RST seen by Wireshark were between the OC200 and the Wireshark PC, so if those local RST were the only RST which were occurring then they shound not trigger a log entry. As expected, the log entries which were recurring every 10 minutes did stop when RST in Attack Defense was disabled. However, if the only RST which were occurring were internal then turning off reporting for this event just hides the error in reporting.
In any event, it seems better from a security perspective to have the RST response off.
What might be more beneficial from a security perspecitve is to be able to log when the ER7206 would have sent an RST in response to a WAN packet but did not because RST response was diabled in Attack Defense.
Again, thanks for your time and input.
Carl
I checked this with the dev and that RST response is off by default. So, it seems that people did not read what it means and just blindly enabled all the defense parameters.
About your suggestion for that log, you might wanna take it to the solution post I replied to earlier and see how others think this.
Most users are not that sophisticated to read and understand what logs mean. In recent firmware upgrades, we have added many features and many are very confused about them. Especially the log system which has been added with some more detailed records.
- Copy Link
- Report Inappropriate Content
Thanks for your reply.
The improvements in logging are certainly appreciated and improve our ability to understand what's going on in our networks.
There is still an open point for which I would like a response. It is highlighted in red below.
>>This RST is not your PC checking the router ingress or egress, so that does not make a question because it is wrong in the first place.
>>>> The only RST which were seen by Wireshark were not originating from the WAN. However, if my setup was correct, Wireshark was seeing all RST responses to the WAN or MGMT vlan. The RST seen by Wireshark were between the OC200 and the Wireshark PC, so if those local RST were the only RST which were occurring then they shound not trigger a log entry. As expected, the log entries which were recurring every 10 minutes did stop when RST in Attack Defense was disabled. However, if the only RST which were occurring were internal then turning off reporting for this event just hides the error in reporting.
I concur with this quote from your previous response.
RST is also common and when you do a 443 access. It continued and is normal to me.
Therefore, to reduce it to a question: Given RST is common during 443 access, why are internal RST triggering a log entry in the context of security?
Perhaps I am not thinking correctly, in the context of security our primary concern is when a RST is triggered from a WAN packet only?
Thanks,
Carl
- Copy Link
- Report Inappropriate Content
I looked at your posts and could not identify the specific reference.
Would you please let me know the post to which you are referring below?
About your suggestion for that log, you might wanna take it to the solution post I replied to earlier and see how others think this.
Thanks,
Carl
- Copy Link
- Report Inappropriate Content
I had the same issue
after testing, it turned out for me at least, to be external wireguard config files on VPS's i have which were pinging the router every 10 mins.
You need to remove the following line from all your wireguard conf files and the TCP SYN packets attack will stop.
PersistentKeepalive = 25
persistantkeepalive is not needed and in my case at least was removed, re-setup various external wireguard vpns. Now it all works.
It's surprising that TP link didn't figure this out,
- Copy Link
- Report Inappropriate Content
Hi @j1979
Thanks for posting in our business forum.
j1979 wrote
I had the same issue
after testing, it turned out for me at least, to be external wireguard config files on VPS's i have which were pinging the router every 10 mins.
You need to remove the following line from all your wireguard conf files and the TCP SYN packets attack will stop.
PersistentKeepalive = 25
persistantkeepalive is not needed and in my case at least was removed, re-setup various external wireguard vpns. Now it all works.
It's surprising that TP link didn't figure this out,
Because we are not in god mode and know that you have this.
Wireshark did not show this in the interaction if you don't know where to start.
And, are you certain about this? Both are UDP. I have not figured out why it would relate to TCP RST.
- Copy Link
- Report Inappropriate Content
Well I don't know the level of resources you have to test with if any. Anyway, apologies if i upset anyone, well I can't easily test with wireshark due to physical access to the router, but the attacks have been consistent for months if not years regular SYN attacks. I can't be 100% sure without further testing, which i'm not going to do as the issue is sorted for me now,
But i've getting them every 10 mins, for a while now after redoing all my WG configs on remote servers I get less than 1 a day. compared to 6 an hour before.
If you want to replicate for testing. I have been using cheap 1GB VPNs with Ubuntu 22.04 and installed, and wireguard using the roadwarrior script,
https://github.com/Nyr/wireguard-install
then use the QR code in the terminal or cat the conf file. It automatically has the persitantkeepalive in the roadwarrior script.
Not suggesting this is everyone's issue , but those with regular TCP SYN packets attack in the logs should defiantly look at this. The TCP vs UDP im not sure why wireguard would show as TCP SYN attack But I know my issue it resolved and Im 99% sure it's not a coincidence due to the first time i noticed a drop in the attacks was the same day i reinstalled android on my phone. It had 3 or 4 wireguard profiles on it.
So at first I suspected some malware on my phone that was deleted when reinstalling android, but as i added things back to my phone the attacks came back. I suspected wireguard persitant keepalive for a long time, but only got chance to test it a few days ago.
Just checked the OC200 again and 0 attacks.
- Copy Link
- Report Inappropriate Content
Hi @j1979
Thanks for posting in our business forum.
j1979 wrote
Well I don't know the level of resources you have to test with if any. Anyway, apologies if i upset anyone, well I can't easily test with wireshark due to physical access to the router, but the attacks have been consistent for months if not years regular SYN attacks. I can't be 100% sure without further testing, which i'm not going to do as the issue is sorted for me now,
But i've getting them every 10 mins, for a while now after redoing all my WG configs on remote servers I get less than 1 a day. compared to 6 an hour before.
If you want to replicate for testing. I have been using cheap 1GB VPNs with Ubuntu 22.04 and installed, and wireguard using the roadwarrior script,
https://github.com/Nyr/wireguard-install
then use the QR code in the terminal or cat the conf file. It automatically has the persitantkeepalive in the roadwarrior script.
Not suggesting this is everyone's issue , but those with regular TCP SYN packets attack in the logs should defiantly look at this. The TCP vs UDP im not sure why wireguard would show as TCP SYN attack But I know my issue it resolved and Im 99% sure it's not a coincidence due to the first time i noticed a drop in the attacks was the same day i reinstalled android on my phone. It had 3 or 4 wireguard profiles on it.
So at first I suspected some malware on my phone that was deleted when reinstalling android, but as i added things back to my phone the attacks came back. I suspected wireguard persitant keepalive for a long time, but only got chance to test it a few days ago.
Just checked the OC200 again and 0 attacks.
It reports a period of 10 minutes in the log. People asked for a longer time or shorter time, we still think 10-minute cycle would be suitable.
I still hold a grain of salt on this matter as keepalive is not TCP. I would not think they correlate. And I googled and studied the docs about Wireguard. Seems to be fully based on UDP.
- Copy Link
- Report Inappropriate Content
10 mins is fine imho any shorter fills the events log in a few days.
With wireguard I don't know if UDP is only used for the tunneling and TCP is used elsewhere. But the attacks were coming in my case from the local devices as they were still coming even if I added a firewall rule to block all incoming globally.
So each device was trying to ping the remote wireguard servers and the router /oc200 was picking it up as an attack. i'm sure of that. If you're still not convinced then maybe just keep it in mind as a possible line of questioning when users are coming with similar issues.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2029
Replies: 13
Voters 0
No one has voted for it yet.