Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
I have a system consisting of an ER605 router, a TL-SG2008 switch and an EAP610 AP, all with an omada controller software version 5.12.7, and every 10 minutes I receive a notification: "Router Omada Detected TCP SYN packets attack and dropped xxx packages." How can I solve this problem?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
To anyone who's looking at this,
To fix this issue, set the Block TCP scan with RST disabled.
- Copy Link
- Report Inappropriate Content
Hi @Sadiqus
Thanks for posting in our business forum.
We got something to prepare before we dig into this.
So you can take a look at this thread to learn about the ACL. https://community.tp-link.com/en/business/forum/topic/617732
If possible, I'd recommend you upgrade your firmware to the V2.1.5 beta, you can find it in the pinned thread.
This looks like an attack from the WAN. So, I got a question is your Internet affected?
If your Internet is affected, we will need to find the IP address of the attacker and block it. So, that'll use the first link.
Then try the latest firmware and see if the log can show the IP address. If it cannot display the attacker's IP, we gotta use Wireshark to find it out and add it to the ACL block.
How to capture packets using Wireshark on SMB router or switch
How to Use Port Mirror to Capture Packets in the Controller
- Copy Link
- Report Inappropriate Content
hello @Clive_A , fortunately it does not affect my internet connectivity, unfortunately I cannot upgrade to the beta version due to the fact that the controller firmware is 5.12.7, and the beta version is for the controller with firmware 5.11 ... I noticed that there is the version this: ER605 V2_2.2.2 Official Firmware (Released on Oct 18th, 2023) and I have 2.2.0.
Is it safe to try to put the beta firmware on the 5.12.7 controller?
My controller is software, in a docker container, I hope this is not a problem.
Below are some print screens of my internet speed, apparently it is not affected in any way.
- Copy Link
- Report Inappropriate Content
Hi @Sadiqus
Thanks for posting in our business forum.
Sadiqus wrote
hello @Clive_A , fortunately it does not affect my internet connectivity, unfortunately I cannot upgrade to the beta version due to the fact that the controller firmware is 5.12.7, and the beta version is for the controller with firmware 5.11 ... I noticed that there is the version this: ER605 V2_2.2.2 Official Firmware (Released on Oct 18th, 2023) and I have 2.2.0.
Is it safe to try to put the beta firmware on the 5.12.7 controller?
My controller is software, in a docker container, I hope this is not a problem.
Below are some print screens of my internet speed, apparently it is not affected in any way.
If possible, I still recommend you take a look at your network to find out what the device is. But it's your network and it's your choice.
The firmware does not have any negative impact if you use it for lower adaptation.
The attack should be sent to the router. The router blocks and reports it. Usually, it is from the WAN. This log will continue to show with the current setting or you can disable the notification in the log settings.
Uncheck all of them. You should be free from the attack log.
- Copy Link
- Report Inappropriate Content
I looked in my network, and there are no problems, I tend to think that the attack is still from outside, but it doesn't show me that IP so I can block it.
I have 2 internet providers, I have to see which of them the attack is coming from.
The option with Gateway Detected Attack unchecked works perfectly.
- Copy Link
- Report Inappropriate Content
routers are attacked all the time, to limit it you can create a location group and include all countries, create a router acl with location group and WAN IN
if you need access from certain countries, you can exclude these from the group.
- Copy Link
- Report Inappropriate Content
I can't do that, behind the router I have a few servers that need to be accessed from anywhere. Some websites, web pages, etc.
- Copy Link
- Report Inappropriate Content
Hi @Sadiqus
Thanks for posting in our business forum.
Sadiqus wrote
I can't do that, behind the router I have a few servers that need to be accessed from anywhere. Some websites, web pages, etc.
This is the downside if you host websites or other stuff. You also face the risk of being attacked. Usually, the home users would not experience such an issue. If they expose the port, that might happen because open ports can be exploited if you do not set proper security for that.
I would do the following to find it out:
1. Unplug one of the WANs to identify which ISP is under attack.
2. Port Mirroring and Wireshark to find out the constant access of the device.
3. Set up the ACL or the Geo block by identifying the IP belonging.
- Copy Link
- Report Inappropriate Content
To make it easier to understand, my configuration is as follows: I have 2 internet providers, and behind the router I have 5 vlans :
1. Administration vlan,
2. IoT Vlan,
3. Home vlan,
4. Guest Home vlan
5. free wifi vlan as guest.
So in the admin network I have 2 physical servers that have docker containers. To be more precise, there are 18 sites on one physical server and 6 sites on the other physical server, all in docker containers, of which only one site goes to the Internet on my real IP through an nginx reverse proxy, the rest of 23 sites are made through proxies through cloudflare. I specify the fact that I own an FQDN domain.
The only ports I forward on the router are 80 and 443 + 2 other ports for VPN connection through Wireguard (each port for a different ISP).
The main ISP is a 1 GBps up/down fiber connection, the other ISP is a VDSL of 70 Mbps down and 23 Mbps UP, which is only for backup and through which the IoT vlan and the FreeWifi vlan come out to the Internet.
If you say that it wouldn't be a problem to downgrade to the V2.1.5 beta version, on my V5.12.7 controller, I would also try this in the hope that maybe it will show me the IP/IPs that are attacking me as to be able to block them.
Thank you very much for your help
- Copy Link
- Report Inappropriate Content
I am having the same issue. I don't believe it's a hack. It's every 10 minutes getting these alerts. I'm not being notified as i turned off the Gateway Detected Attack alert. I also have dual wan, but one of my wan is failover only. Started getting these alerts after upgrading to firmware 2.2.2 on er605 v2.
- Copy Link
- Report Inappropriate Content
In the meantime I upgraded to V2.2.2, but the problem is still. I also shut down one of the physical servers.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 3
Views: 7849
Replies: 17