Omada SDN and Large Ping log
I get a lot of Large ping attack alerts in my log. But there is no info about source IP, so I can't see if it was from any of my WAN conections or from LAN side. Also there is no way to block IP that it has come from.
I really would like to see source IP and also have a way to block this IP (or IP range) from futher atacks.
Thanks.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Dear @NeoCZ, and other community members,
NeoCZ wrote
I get a lot of Large ping attack alerts in my log. But there is no info about source IP, so I can't see if it was from any of my WAN conections or from LAN side. Also there is no way to block IP that it has come from.
I really would like to see source IP and also have a way to block this IP (or IP range) from futher atacks.
Thank you so much for your valuable feedback!
First, the alert of "Router detected Large Ping attack and dropped 7 packets." or "Router detected Ping of Death attack and dropped 1 packet" is a result of the router firewall function. If this kind of log is NOT much frequently reported and did not affect your normal use of the network, you may just keep an eye on it and no need to worry about it too much.
However, if it's very frequent, it indicates that there are many such attack packets exist in your network topology, you may need to check whether such attack packets exist in your network and address the problem from the attack source.
It's a pity that the Omada log doesn't offer more details about such an attack at present. And it's reasonable to provide the source IP of the detected attack in the log to help things easier, which has already been forwarded as a feature request to the R&D team for evaluation.
Now it's confirmed that Omada Controller v5.6 will support showing the source IP of the detected "Large Ping Attack" or "Ping of Death Attack".
Before the final release of controller v5.6, if you wish to figure out where is the attack source, you may capture packages to have a try.
Here is the documentation on How to capture packets using Wireshark on SMB router or switch
The following is the detection scope and matching rules for Large Ping and Ping of Death:
- Large Ping: Ping packets larger than 1024 bytes, which could be from WAN or LAN.
- Ping of Death: ICMP packets larger than 65535 bytes, which could be from WAN or LAN.
Note: In both cases, oversized ping and tracert packets will be dropped.
Hope the information above helps. Thank you for your great patience!
- Copy Link
- Report Inappropriate Content
Dear @NeoCZ, and other community members,
NeoCZ wrote
I get a lot of Large ping attack alerts in my log. But there is no info about source IP, so I can't see if it was from any of my WAN conections or from LAN side. Also there is no way to block IP that it has come from.
I really would like to see source IP and also have a way to block this IP (or IP range) from futher atacks.
Thank you so much for your valuable feedback!
First, the alert of "Router detected Large Ping attack and dropped 7 packets." or "Router detected Ping of Death attack and dropped 1 packet" is a result of the router firewall function. If this kind of log is NOT much frequently reported and did not affect your normal use of the network, you may just keep an eye on it and no need to worry about it too much.
However, if it's very frequent, it indicates that there are many such attack packets exist in your network topology, you may need to check whether such attack packets exist in your network and address the problem from the attack source.
It's a pity that the Omada log doesn't offer more details about such an attack at present. And it's reasonable to provide the source IP of the detected attack in the log to help things easier, which has already been forwarded as a feature request to the R&D team for evaluation.
Now it's confirmed that Omada Controller v5.6 will support showing the source IP of the detected "Large Ping Attack" or "Ping of Death Attack".
Before the final release of controller v5.6, if you wish to figure out where is the attack source, you may capture packages to have a try.
Here is the documentation on How to capture packets using Wireshark on SMB router or switch
The following is the detection scope and matching rules for Large Ping and Ping of Death:
- Large Ping: Ping packets larger than 1024 bytes, which could be from WAN or LAN.
- Ping of Death: ICMP packets larger than 65535 bytes, which could be from WAN or LAN.
Note: In both cases, oversized ping and tracert packets will be dropped.
Hope the information above helps. Thank you for your great patience!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 5
Views: 735
Replies: 1