4
Votes

Omada SDN and Large Ping log

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
 
4
Votes

Omada SDN and Large Ping log

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Omada SDN and Large Ping log
Omada SDN and Large Ping log
2022-07-02 05:42:30 - last edited 2022-07-20 08:41:15
Tags: #Large ping attack
Hardware Version: V5
Firmware Version: 5.3.1

I get a lot of Large ping attack alerts in my log. But there is no info about source IP, so I can't see if it was from any of my WAN conections or from LAN side. Also there is no way to block IP that it has come from.

 

I really would like to see source IP and also have a way to block this IP (or IP range) from futher atacks.

 

Thanks.

#1
Options
1 Accepted Solution
Re:Omada SDN and Large Ping log-Solution
2022-07-20 08:40:40 - last edited 2022-07-20 08:41:15

Dear @NeoCZ, and other community members,

 

NeoCZ wrote

I get a lot of Large ping attack alerts in my log. But there is no info about source IP, so I can't see if it was from any of my WAN conections or from LAN side. Also there is no way to block IP that it has come from.

 

I really would like to see source IP and also have a way to block this IP (or IP range) from futher atacks.

 

Thank you so much for your valuable feedback!

 

First, the alert of "Router detected Large Ping attack and dropped 7 packets." or "Router detected Ping of Death attack and dropped 1 packet" is a result of the router firewall function. If this kind of log is NOT much frequently reported and did not affect your normal use of the network, you may just keep an eye on it and no need to worry about it too much.

 

However, if it's very frequent, it indicates that there are many such attack packets exist in your network topology, you may need to check whether such attack packets exist in your network and address the problem from the attack source.

 

It's a pity that the Omada log doesn't offer more details about such an attack at present. And it's reasonable to provide the source IP of the detected attack in the log to help things easier, which has already been forwarded as a feature request to the R&D team for evaluation.

Now it's confirmed that Omada Controller v5.6 will support showing the source IP of the detected "Large Ping Attack" or "Ping of Death Attack".

 

Before the final release of controller v5.6, if you wish to figure out where is the attack source, you may capture packages to have a try.

Here is the documentation on How to capture packets using Wireshark on SMB router or switch

The following is the detection scope and matching rules for Large Ping and Ping of Death:

  • Large Ping: Ping packets larger than 1024 bytes, which could be from WAN or LAN.
  • Ping of Death: ICMP packets larger than 65535 bytes, which could be from WAN or LAN.

Note: In both cases, oversized ping and tracert packets will be dropped.

 

Hope the information above helps. Thank you for your great patience!

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
#2
Options
1 Reply
Re:Omada SDN and Large Ping log-Solution
2022-07-20 08:40:40 - last edited 2022-07-20 08:41:15

Dear @NeoCZ, and other community members,

 

NeoCZ wrote

I get a lot of Large ping attack alerts in my log. But there is no info about source IP, so I can't see if it was from any of my WAN conections or from LAN side. Also there is no way to block IP that it has come from.

 

I really would like to see source IP and also have a way to block this IP (or IP range) from futher atacks.

 

Thank you so much for your valuable feedback!

 

First, the alert of "Router detected Large Ping attack and dropped 7 packets." or "Router detected Ping of Death attack and dropped 1 packet" is a result of the router firewall function. If this kind of log is NOT much frequently reported and did not affect your normal use of the network, you may just keep an eye on it and no need to worry about it too much.

 

However, if it's very frequent, it indicates that there are many such attack packets exist in your network topology, you may need to check whether such attack packets exist in your network and address the problem from the attack source.

 

It's a pity that the Omada log doesn't offer more details about such an attack at present. And it's reasonable to provide the source IP of the detected attack in the log to help things easier, which has already been forwarded as a feature request to the R&D team for evaluation.

Now it's confirmed that Omada Controller v5.6 will support showing the source IP of the detected "Large Ping Attack" or "Ping of Death Attack".

 

Before the final release of controller v5.6, if you wish to figure out where is the attack source, you may capture packages to have a try.

Here is the documentation on How to capture packets using Wireshark on SMB router or switch

The following is the detection scope and matching rules for Large Ping and Ping of Death:

  • Large Ping: Ping packets larger than 1024 bytes, which could be from WAN or LAN.
  • Ping of Death: ICMP packets larger than 65535 bytes, which could be from WAN or LAN.

Note: In both cases, oversized ping and tracert packets will be dropped.

 

Hope the information above helps. Thank you for your great patience!

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
#2
Options