TCP SYN packets attack

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

TCP SYN packets attack

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
13 Reply
Re:TCP SYN packets attack
2024-04-30 05:43:01

Hi @j1979 

Thanks for posting in our business forum.

j1979 wrote

  @Clive_A 

 

10 mins is fine imho any shorter fills the events log in a few days.  

 

With wireguard I don't know if UDP is only used for the tunneling and TCP is used elsewhere.   But the attacks were coming in my case from the local devices as they were still coming even if I added a firewall rule to block all incoming globally.

 

So each device was trying to ping the remote wireguard servers and the router /oc200 was picking it up as an attack.   i'm sure of that.  If you're still not convinced then maybe just keep it in mind as a possible line of questioning when users are coming with similar issues.

 

Will see your feedback if is helpful to others. At least I should see some new feedback based on your suggestions before I take this further to analysis. But so far no clear evidence indicating this relates to TCP SYN yet.

Thanks for bringing this up from a new perspective and giving a possible solution or cause. Will keep an eye on this.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#12
Options
Re:TCP SYN packets attack
2024-04-30 22:12:34

@Clive_A 

 

Just another update,  Im 100% sure now this is, in my case caused by the  PersistentKeepalive=   option in external wireguard peer profiles (not the builtin wireguard in the er605 router).

 

The reason im now completly sure, is that the only time I now get the TCP SYN attacks event is when my girlfriend comes over to stay and uses the wifi,  she still has a wireguard peer config on her phone that still uses the persistantkeepalive.

 

 

  0  
  0  
#13
Options
Re:TCP SYN packets attack
2024-05-06 10:39:46

Hi  @j1979 

j1979 wrote

@Clive_A 

 

Just another update,  Im 100% sure now this is, in my case caused by the  PersistentKeepalive=   option in external wireguard peer profiles (not the builtin wireguard in the er605 router).

 

The reason im now completly sure, is that the only time I now get the TCP SYN attacks event is when my girlfriend comes over to stay and uses the wifi,  she still has a wireguard peer config on her phone that still uses the persistantkeepalive.

 

 

Got some questions for you.

If your persistenkeepalive = 25 (seconds). So, why does it show hundreds of the TCP SYN in 10 minutes?

Let's say it does not meet the math results in this situation.

600 secs, you should probably get 24 TCP SYN attack. But you get hundreds in the log?

How many attacks do you get in the log every 10 minutes? I assume you still get hundreds? Or under 100 times?

If you can answer this and let me know it is under 100 times every 10 minutes, then we may think it somehow relates. But only until I got an answer from you to confirm this.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#14
Options