TCP SYN packets attack
TCP SYN packets attack
I understand this topic has been brought up multiple times re: the "TCP SYN packets attack" reoccurring at 10 minute intervals. I also understand that firmware updates have improved the ability of the device to recognize and report such events. The purpose of my post is to provide information from my attempts to sort out the specific cause of this reporting in my environment.
We have an OC200, ER7206 v1.0, TL-SG2008P v1.0, SG3428 v2.3, EAP115(US) v4.0 and two EAP620 HD(US) v3.0. All firmware current except the EAP620s which are on v1.2.3 (but soon to be on 1.2.5).
We installed Wireshark on a local PC and configured a LAN port on the ER7206 for port mirroring.
The IP address of our OC200 is 10.X.X.80 and the IP address of the Wireshark PC is 10.X.X.81.
Wireshark was setup to filter for "tcp:flags.reset==1".
Screenshots from January 4, 2024, beginning 10:28AM local time, and immediately after clearing all alerts and starting a new capture in Wireshark.
>>Controller Logs - Alerts
>> Wireshark capture
Screenshots from January 4, 2024, at 10:54AM local time.
>>Controller Logs - Alerts
>> Wireshark capture
Assuming I have Wireshark setup correctly for filtering (will readily admit I use it very little), I'm surprised the only packets I see captured are between the OC200 and the Wireshark PC. It also seems to me there is more than a strong correlation between the time of attack detection as reported in the OC200 log as compared to the captured packets at the Wireshark PC.
I turned off the "Block TCP Scan with RST" as suggested in this post: https://community.tp-link.com/en/business/forum/topic/637224?page=1.
And logging of the "attack" stopped while the RST captures continued in Wireshark.
I would certainly welcome any input or feedback.
Thanks!
Carl
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @j1979
Thanks for posting in our business forum.
j1979 wrote
10 mins is fine imho any shorter fills the events log in a few days.
With wireguard I don't know if UDP is only used for the tunneling and TCP is used elsewhere. But the attacks were coming in my case from the local devices as they were still coming even if I added a firewall rule to block all incoming globally.
So each device was trying to ping the remote wireguard servers and the router /oc200 was picking it up as an attack. i'm sure of that. If you're still not convinced then maybe just keep it in mind as a possible line of questioning when users are coming with similar issues.
Will see your feedback if is helpful to others. At least I should see some new feedback based on your suggestions before I take this further to analysis. But so far no clear evidence indicating this relates to TCP SYN yet.
Thanks for bringing this up from a new perspective and giving a possible solution or cause. Will keep an eye on this.
- Copy Link
- Report Inappropriate Content
Just another update, Im 100% sure now this is, in my case caused by the PersistentKeepalive= option in external wireguard peer profiles (not the builtin wireguard in the er605 router).
The reason im now completly sure, is that the only time I now get the TCP SYN attacks event is when my girlfriend comes over to stay and uses the wifi, she still has a wireguard peer config on her phone that still uses the persistantkeepalive.
- Copy Link
- Report Inappropriate Content
Hi @j1979
j1979 wrote
Just another update, Im 100% sure now this is, in my case caused by the PersistentKeepalive= option in external wireguard peer profiles (not the builtin wireguard in the er605 router).
The reason im now completly sure, is that the only time I now get the TCP SYN attacks event is when my girlfriend comes over to stay and uses the wifi, she still has a wireguard peer config on her phone that still uses the persistantkeepalive.
Got some questions for you.
If your persistenkeepalive = 25 (seconds). So, why does it show hundreds of the TCP SYN in 10 minutes?
Let's say it does not meet the math results in this situation.
600 secs, you should probably get 24 TCP SYN attack. But you get hundreds in the log?
How many attacks do you get in the log every 10 minutes? I assume you still get hundreds? Or under 100 times?
If you can answer this and let me know it is under 100 times every 10 minutes, then we may think it somehow relates. But only until I got an answer from you to confirm this.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2043
Replies: 13
Voters 0
No one has voted for it yet.