Router detected Large Ping attack and dropped 7 packets.
Hello everyone.
I have a new network infrastructure running a few days now in a new office under construction.
There I have 3 omada devices (Router, POE Switch and EAP) and a wired security system.
Today i added a Win10 laptop for a video conference and i have more than 10 alerts at omada's log like this one: "Router detected Large Ping attack and dropped 7 packets."
The same happened about 1 week before when added the security system in the network, but after it stopped. No other PC or other network device was connected to the network.
So is this normal, every time i add a new network device, or it is an attack?
Is this critical ? Is this a Ping attack?
Should i take care of these, or remove these alerts from omada's alert emails ?
Thanks
E.A
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@Fae hi, my Omada controller is 5.7.6V and I still have no info about the ip of the equipment concerned by these attacks.
my equipments:
Controller OC300 V1.0 // Firmware Version 1.14.7 Build 20221206 Rel.60706
Router ER7206 v1.0 // Firmware Version 1.2.3 Build 20221104 Rel.41500
Switch TL-SG3428 v2.0 // Firmware Version 2.0.9 Build 20221021 Rel.62172
I checked well and all my equipment is up to date. How can I fix this?
- Copy Link
- Report Inappropriate Content
Hi @Nicduch
I ran a test today - disconnected internet and both large ping and no-flag were still getting logged. Turning off all Apple devices on my wifi and the alerts stopped. You should try the same - it seems the alerts are generated by LAN side activity not from the WAN and specifically from Apple devices,
Try the same test and let's see what happens for you.
happy new year
Nicduch wrote
@Fae hi, my Omada controller is 5.7.6V and I still have no info about the ip of the equipment concerned by these attacks.
my equipments:
Controller OC300 V1.0 // Firmware Version 1.14.7 Build 20221206 Rel.60706
Router ER7206 v1.0 // Firmware Version 1.2.3 Build 20221104 Rel.41500
Switch TL-SG3428 v2.0 // Firmware Version 2.0.9 Build 20221021 Rel.62172
I checked well and all my equipment is up to date. How can I fix this?
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@BravoMike31 I had the same today on the new ER7212PC Router. I'd like to see some more details included in the alert too.
I needed to reset the Cloud service as i couldn't connect to it. It had blocked the service after the ping attack. I had to turn the enable button Off/On to reset it. The app told me there was an error connecting. All was running well before. Is it coming from TP-Links cloud service?
- Copy Link
- Report Inappropriate Content
after reboot, IP info is here. i don't know why...
- Copy Link
- Report Inappropriate Content
I think it's because of the different router/gateway.
I am using the ER605, whose last firmware update is from 03/2022.
All other hardware components including the Omada SDN controller have received some updates since that time.
- Copy Link
- Report Inappropriate Content
@Fae - Can you please advise when the firmware upgrade for the ER605 (TL-R605) v1 will be released to support the Source IP for Large Ping Attacks? The latest firmware is 1.2.1 (Published Date: 2022-06-15).
- Copy Link
- Report Inappropriate Content
After several test, only one apple device make ping attack.
this is an iphone 7 +
no problem with iphone 13 and apple tv 4k
- Copy Link
- Report Inappropriate Content
Thanks for the information on the message "Router detected Large Ping attack and dropped 7 packets."
I have recently set up a TP-Link Omada network on my farm to provide WiFi for a large area.
The interesting thing is, for years I've been running two TP-Link Google OnHub TGR1900 access points in a mesh configuration and they provided WiFi signals from my home to my barn 300' away. The signal was typically -65 to -55 dBm at the barn which was good enough to stream video and audio from a 1080p security camera and stream music. on a Google Mini Since Google is killing off support for these amazing consumer routers/APs and Google Home network management for the old devices I had to come up with a replacement. Apparently nobody makes a router/access point a powerful as these were.
Here is my setup:
T-Mobile 5G Home Internet as my WAN
Calyx Institute Internet service using an inseego 5G MiFi M2000 as my USB Modem providing two connections to the Internet in failover
Omada controller Model OC200 v2.0 HW version, Controller Version 5.7.6, Firmware Version 2.7.7 Build 20221206 Rel.58608
Omada ER605 Gigabit VPN Router/Firewall v2.6, Firmware Version: 2.0.1 Build 20220223 Rel.68551
Omada TL-SG2008P JetStream 8 port gigabit smart PoE+ switch, Firmware Version: 3.0.4 Build 20221130 Rel.42340
and 2 Omada EAP610-Outdoor(US) v1.0, WiFi 6 AX1800 access points, Firmware Version: 1.0.6 Build 20220415 Rel. 63538
I have read over the Omada Knowledgebase articles, router install and configure manual and the Help system in the Controller and can not find any logs that show source and destination IP for the Large Ping Attack or any other message. I agree not showing this information is a great shortfall in a firewall so I read with interest this statement in your post:
"Now it's confirmed that Omada Controller v5.6 will support showing the source IP of the detected "Large Ping Attack" or "Ping of Death Attack". which requires to upgrade the Router to the adapted firmware."
Do you, or does anyone here know either how to view the source and destination IP addresses associated with messages?
Is this information available only if you export the logs or ship them to a syslog server (neither of which I tried)?
I'd rather not mirror ports and run wireshark when this is a basic function of other firewalls that I have experience with (PaloAlto, Netscreen, Fortinet and SonicWall).
Thanks in advance.
Jeff
- Copy Link
- Report Inappropriate Content
Hello Jeff, As I can see from your hardware configuration, you basically use the same hardware as me. Since your hardware, including the Omada controller, also has the latest firmware version, you will also have to wait for a firmware update for your ER605 router.
As long as the router is not able to pass the IP address to the controller, we will not be able to see the IP address in the controller either.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 18
Views: 63904
Replies: 89