Router detected Large Ping attack and dropped 7 packets.
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Hello everyone.
I have a new network infrastructure running a few days now in a new office under construction.
There I have 3 omada devices (Router, POE Switch and EAP) and a wired security system.
Today i added a Win10 laptop for a video conference and i have more than 10 alerts at omada's log like this one: "Router detected Large Ping attack and dropped 7 packets."
The same happened about 1 week before when added the security system in the network, but after it stopped. No other PC or other network device was connected to the network.
So is this normal, every time i add a new network device, or it is an attack?
Is this critical ? Is this a Ping attack?
Should i take care of these, or remove these alerts from omada's alert emails ?
Thanks
E.A
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Dear @Danny909, @Callmedave, @MaximusMark, @TheUnF, @NeoCZ, @biomed32uk, @BCosse, and other community members,
TheUnF wrote
@FAE, what do we need to do in order to get a very simple change on these notifications : show the source IP of the detected attach ?
Thank you all for your valuable feedback!
First, the alert of "Router detected Large Ping attack and dropped 7 packets." or "Router detected Ping of Death attack and dropped 1 packets" is a result of the router firewall function. If this kind of log is NOT much frequently reported and did not affect your normal use of the network, you may just keep an eye on it and no need to worry about it too much.
However, if it's very frequent, it indicates that there are many such attack packets exist in your network topology, you may need to check whether such attack packets exist in your network and address the problem from the attack source.
It's a pity that the Omada log doesn't offer more details about such an attack at present. And it's reasonable to provide the source IP of the detected attack in the log to help things easier, which has already been forwarded as a feature request to the R&D team for evaluation. Now it's confirmed that Omada Controller v5.6 will support showing the source IP of the detected "Large Ping Attack" or "Ping of Death Attack". which requires to upgrade the Router to the adapted firmware.
Before the final release of controller v5.6, if you wish to figure out where is the attack source, you may capture packages to have a try.
Here is the documentation on How to capture packets using Wireshark on SMB router or switch
The following is the detection scope and matching rules for Large Ping and Ping of Death:
- Large Ping: Ping packets larger than 1024 bytes, which could be from WAN or LAN.
- Ping of Death: ICMP packets larger than 65535 bytes, which could be from WAN or LAN.
Note: In both cases, oversized ping and tracert packets will be dropped.
Hope the information above helps. Thank you for your great patience!
- Copy Link
- Report Inappropriate Content
I decided to upgrade to the latest Omada Controller v5.4.6.x from 5.4.03.x and now I regret doing so. Can I just download the older version from somewhere and reinstall it and keep all my settings and data?
The reason I regret it is now I'm getting an email notification every couple of minutes about a large ping attack without it even providing the source ip. Until we know the source ip this information is useless. It's only annoying. I don't want to disable my email alerts over this either. The older version wasn't as sensitive with the same alert and I was fine with that. Until the patch/feature update is added I refuse to upgrade.
- Copy Link
- Report Inappropriate Content
I'm afraid if you downgrade you will lose your configuration. I tried to downgrade from 5.4 to 5.3 and lost all my configuration afterwards and tried to import the backup configuration on 5.4 and found that I couldn't recover it and needed to configure everything from scratch.
I think this is because the new controller has some new features that are not available on the old one, and when you import the configuration files from the new controller to the old one, there is no place for the configuration files of these new features to go, which leads to confusion.
- Copy Link
- Report Inappropriate Content
I have ER605 v.2.0, firmware 2.0.1 Build 20220223 Rel.68551 connected to the internet via PPPoE and observe the same log entries.
What's interresting, firewall always reports LAN MAC address as this attacked one, regardless of the real source - checked it by emulating such attack from a public cloud machine.
So - to summarize it up
1. Probably in your case, the attack is being performed from WAN and not from LAN, regardless of interface reported as attacked. In that case, in fact, that's good, that the router discovers it but you cannot do anything with this, especially, if you have a public IP address.
2. [ISSUE] in fact, firewall SHOULD report IP address of the attacker, but it DOES NOT do that.
3. [ISSUE] firewall SHOULD recognize attacked interface correctly, while it always reports LAN MAC address.
Also - using this thread as opportunity - I would like to add my thoughts about the firewall used in this device.
1. In general - reporting is very poor. IMHO it should be able to inform about every accepted and/or rejected package. And it should be possible to configure how much information is reported
2. ALG is very poor as well. It should, for example, allow to configure additional services, which can be blocked.
In general - I am a bit disapointed with this device. I know, that it is cheap, but it should provide at least some basic MODERN security features. I don't suppose, for example, that ALG allowing for blocking H.323 is useful, as this is very old protocol, and I don't suppose that there's a lot of users using it...
Best Regards
JustWired
- Copy Link
- Report Inappropriate Content
@BravoMike31 This experience was a weird one for me!
It started all the sudden and took me a week or two until i somehow could relate these notifications to the time I enrolled my iOS device for Beta testing of the new OS.
And once I removed the beta profile and rebooted, voila! it was all gone.
I am not entirely sure what all scans does the iPhone run while being on the Beta profile, but that was resulting in router detecting large pings and dropping packets, treating those as possible attacks.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
EDIT
- Copy Link
- Report Inappropriate Content
@BravoMike31 I'm facing the same exact situation for a new network setup.
I've deployed an entire Omada setup (10 - EAP620HDs, 4 - TL-SG2210MP, ER605 V2 router and OC200 controller) for a 4 storey dormitory and everyday I am just receiving large ping attack notices to no end! And I have no other wired connections in my topology apart from the OC200 controller.
The fact that many users here are reporting the same issues with the ER605 makes me wonder what TP Link is doing about their Omada line up. If anything, these products ought to be superior in everyway from their home/SOHO product range.
I'm surprised actually because for the longest time I have had very little issues with their home/SOHO hardware but the Omada range have really made me re-think what to recommend my clients use.
- Copy Link
- Report Inappropriate Content
Having the same problems. I just this weekend put in a new network for a family member with ER605, EAP610, two EAP615 wall units, and an EAP245 running off a OC200 hardware controller V5.5.7. Everything is hardwired with tested Cat 6 cable. All firmware updated and configuration done and seeing constant Large Ping attack messages. Network speed keeps dropping from high 800 Mb to low 70 Mb. Just starting to look at it now, but can't identify what is going on????
This is just the latest:
| CONTENT | TIME | ARCHIVE ALL |
|---|
| ER605Router detected Large Ping attack and dropped 68 packets. |
Sep 21, 2022 02:15:51 pm |
|
| ER605Router detected Large Ping attack and dropped 13 packets. |
Sep 21, 2022 01:27:58 pm |
|
| ER605Router detected Large Ping attack and dropped 108 packets. |
Sep 21, 2022 01:17:08 pm |
|
| ER605Router detected Large Ping attack and dropped 64 packets. |
Sep 21, 2022 12:51:12 pm |
|
| ER605Router detected Large Ping attack and dropped 113 packets. |
Sep 21, 2022 12:39:33 pm |
|
| ER605Router detected Large Ping attack and dropped 42 packets. |
Sep 21, 2022 12:06:13 pm |
|
| ER605Router detected Large Ping attack and dropped 40 packets. |
Sep 21, 2022 11:31:53 am |
|
| ER605Router detected Large Ping attack and dropped 81 packets. |
Sep 21, 2022 11:08:14 am |
|
| ER605Router detected Large Ping attack and dropped 85 packets. |
Sep 21, 2022 10:56:38 am |
|
| ER605Router detected Large Ping attack and dropped 78 packets. |
Sep 21, 2022 09:50:51 am |
I have a similar setup (EAP620, and a few EAP245) at my house running off a different router and a software controller version 5.5.6 on a Raspberry Pi 4 and seldom get any alerts.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Information
Helpful: 16
Views: 53868
Replies: 89
Voters 2
