TCP SYN Packet Attack After the Firmware Upgrade

TCP SYN Packet Attack After the Firmware Upgrade

TCP SYN Packet Attack After the Firmware Upgrade
TCP SYN Packet Attack After the Firmware Upgrade
2024-01-05 01:25:12 - last edited 2024-02-06 02:40:40

This Article Applies to:

 

All Omada routers.

 

Issue Description/Phenomenon:

 

We received feedback after the upgrade of the Omada routers in a recent firmware release(by the time of this thread), your controller will show the log of XYZ Detected TCP SYN packet attack and dropped 123 packets.

 

Available Workarounds/Solutions:

 

First, it is an expected symptom if you have enabled/tweaked the firewall parameters - Block TCP scan with RST. By default, this is disabled.

If a connection sends a TCP SYN to the router, the router will respond with an RST.  It will be recorded and the controller will report it every 10 minutes to you in the log.

 

Note that the log is supposed to record what should be there or what is happening which is what the log does. And we are enriching the log system to be more specific and detailed. To some users, this might be confusing or bothering. Please use the User Guide and Google wisely. If you don't prefer the log repeatedly showing up in your controller, you may disable it.

 

Available Solution:

 

Disable the Block TCP scan with RST.

This will not respond with an RST instead it will instantly drop the connection without replying anything.

 

Related Reading: Omada Gateway Cannot Get Full Stealth On The GRC ShieldsUp Test. [Case Closed]

Q&A 3 in Understanding TCP/UDP and How Omada Firewall Protects Your Network from Attacks

 

Thank you for your attention!

 

Update Log:

 

Jan 5th, 2024:

Release of this article.

 

Feedback:

 

If this was helpful, welcome to give us Kudos by clicking the thumbs-up button below.

 

If the solution doesn't work for you, your case is probably different from what is described here.

In that case, please feel free to click Start a New Thread and elaborate on the problem so that we can try to help you further.

 

Thank you for your great cooperation and patience!

TP-Link Support Team

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  6      
  6      
#1
Options
4 Reply
Re:TCP SYN Packet Attack After the Firmware Upgrade
2024-01-05 02:18:15

Hi  @Clive_A ,

 

I believe a 60-minute interval would be more suitable, as having a log entry every 10 minutes results in 144 entries per day. With a 60-minute frequency, you'd only receive 24 logs daily, preventing clutter.

  0  
  0  
#2
Options
Re:TCP SYN Packet Attack After the Firmware Upgrade
2024-01-05 13:37:38

  @di-vin 

 

makes it very hard to debug at 60mins if it's an internal device attcking the router.

  0  
  0  
#3
Options
Re:TCP SYN Packet Attack After the Firmware Upgrade
2024-06-25 03:35:56 - last edited 2024-06-25 03:47:08

  @Clive_A 
 

I might be missing something here, but wouldn't it be a lot simple to have an option to report those entries by source IP address instead so that we can troubleshoot this remotely as well instead of having to go to the device and do port mornitoring and all that stuf? If an internal system is trying to brute force scan my network it woudl be extremly usefull to know what's the IP of that system so that i can go directly to it without a 800 km trip and troubleshoot on site.

 

Any suggestion on how can we troubleshoot remotely without having to travel onsite each time a new "attack" is reported? My problem is that the issue is reported from the internal network or at least that is what is seems because the MAC reporting it is the one of the LAN. And each time when i have this i seem to lose access for some internal devices to internet and i need to be able to troubleshoot and determine if the issue happens because of an attack or because of some other reasons. 

  3  
  3  
#4
Options
Re:TCP SYN Packet Attack After the Firmware Upgrade
2024-06-25 05:53:44

Hi @HVM 

Thanks for posting in our business forum.

HVM wrote

  @Clive_A 
 

I might be missing something here, but wouldn't it be a lot simple to have an option to report those entries by source IP address instead so that we can troubleshoot this remotely as well instead of having to go to the device and do port mornitoring and all that stuf? If an internal system is trying to brute force scan my network it woudl be extremly usefull to know what's the IP of that system so that i can go directly to it without a 800 km trip and troubleshoot on site.

 

Any suggestion on how can we troubleshoot remotely without having to travel onsite each time a new "attack" is reported? My problem is that the issue is reported from the internal network or at least that is what is seems because the MAC reporting it is the one of the LAN. And each time when i have this i seem to lose access for some internal devices to internet and i need to be able to troubleshoot and determine if the issue happens because of an attack or because of some other reasons. 

You can upvote this: https://community.tp-link.com/en/business/forum/topic/671998

Will pay constant attention to this vote. 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  2  
  2  
#5
Options