TCP no-Flag attack

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

TCP no-Flag attack

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
TCP no-Flag attack
TCP no-Flag attack
2022-12-26 07:44:44 - last edited 2022-12-26 10:25:47
Tags: #no-Flag
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.0.1 Build 20220223 Rel.68551

 

These messages are popping up every 10 minutes.

 

RT01 detected TCP no-Flag attack and dropped 8 packets.

Dec 26, 2022 03:25:06  pm

 

RT01 detected TCP no-Flag attack and dropped 8 packets.

Dec 26, 2022 03:15:00  pm

 

RT01 detected TCP no-Flag attack and dropped 7 packets.

Dec 26, 2022 03:04:51  pm

 

RT01 detected TCP no-Flag attack and dropped 8 packets.

Dec 26, 2022 02:54:45  pm

 

RT01 detected TCP no-Flag attack and dropped 8 packets.

Dec 26, 2022 02:44:39  pm

 

RT01 detected TCP no-Flag attack and dropped 8 packets.

Dec 26, 2022 02:34:33  pm

 

RT01 detected TCP no-Flag attack and dropped 8 packets.

Dec 26, 2022 02:24:25  pm

 

RT01 detected TCP no-Flag attack and dropped 8 packets.

Dec 26, 2022 02:14:18  pm

 

I was using ER605 v1 and have now changed to ER605 v2, same problem.

I'm trying to locate the origin of the packets however so far I cannot identify.

 

I captured traffic between the router and modem using wireshark, after connecting the router and modem to a port based vlan so I could monitor the incoming/outgoing ISP traffic, so I could see packets before they get to the router and get dropped.

Using either of these wireshark filters came back with no rows

 

Block TCP Packets with SYN and FIN Bits Set

 

(tcp.flags.fin == 1) && (tcp.flags.syn == 1)

 

Block TCP Packets with FIN Bit but No ACK Bit Set

 

((tcp.flags.fin == 1)) && (tcp.flags.ack == 0)

 

I tried a few other filters, like all tcp header flags set to 0, but could not identify the dropped packets.

How can I identify the no-flag packets?

 

thanks, 

 

Lerwick

 



Attack defense and firewall settings are below.

 

 

  0      
  0      
#1
Options
14 Reply
Re:TCP no-Flag attack
2022-12-27 10:52:40

  @Lurk 

 

I have never received the similar reminder.
Do these error alerts actually affect the router working properly?

Just striving to develop myself while helping others.
  0  
  0  
#2
Options
Re:TCP no-Flag attack
2022-12-27 14:25:57

Hi  @Virgo 

 

it's like when the engine light comes on in the car, maybe you should stop straight away and call a towie, or maybe no worries light is faulty.

 

 

 

from Google 

 

TCP Null Attack

 

In case of TCP Null Attack, the victim server gets packets with null parameters in the ‘flag’ field of the TCP header, i.e. none of the 6 TCP flags (URG, ACK, PSH, RST, SYN, FIN) is set. As a rule, packets of this kind are used to scan the server’s ports before a large-scale attack.

 

I tried searching for all 6 flags set to 0, also nothing captured in wireshark.

 

Given it seems to be happening regular 10 minutes im looking at the 600 second state timeout setting and will adjust that to see if the logging regularity also changes.

 

I'd feel better if I knew it was a false positive or that if it was an attack I could do something before it escalates.

  0  
  0  
#3
Options
Re:TCP no-Flag attack
2023-02-01 06:07:50

  @Lurk  "and dropped 8 packets"  , maybe it has made relatively good protection.

  0  
  0  
#4
Options
Re:TCP no-Flag attack
2023-02-01 07:43:51

Hi  @HelsingL ,

 

It's possible the alerts are indicating the router is blocking something useful. 

The Block Large pings though seemed to be blocking LAN side traffic going to the WAN from apple devices, so theoretically valid traffic, which may or may not have caused one or more of the apple devices some delay doing something that it does. 

I tried to find out through Tp-link what triggers the different alerts but I couldn't get that info. I wasn't able to identify or reproduce packets causing the alerts given the criteria they gave me.

Another thing I noticed with the alerts, I setup a large ping that fires once every minute from the LAN (1000 bytes)  to google and every 10 minutes the router reported dropping 10 packets, so it saved up alerts and logged them every 10 minutes and not when it occurred. I used PingInfoView from Nirsoft to do that ping thing.

So given I can't find the packets that are causing the alerts and they don't match the description provided by tp-link about the TCP Header fields, then I think it isn't doing much useful except spamming the log. But what I do know now is that the time the alert is logged, is not necessary when the packet was sent. It saves up alerts and logs every 10 minutes.

 

The truth is out there somewhere....but for now my logs are spammed.

 

 

  1  
  1  
#5
Options
Re:TCP no-Flag attack
2023-02-01 21:34:22

  @Lurk 

 

maybe it's better to report here

 

Additional Tips For Reporting Security Issues: 

 

At TP-Link, customer security comes first. To report Security Issues regarding TP-Link products, please follow the situation below and submit the feedback from HERE.

 

  • (1) To submit security-related inquiries, click Contact Technical Support  where our support engineers will help look into your concerns personally and assist in the first time.

 

  • (2) To report Product Security or Vulnerability issues, click  Submit Security Feedback  where your information will be handled by our network security engineers, and you can expect a reply in 1-3 business days.

  0  
  0  
#6
Options
Re:TCP no-Flag attack
2023-02-01 23:00:36

Hi  @nurix 

 

I tried logging an incident with support

 

Hello and thank you for contacting TP-Link support.

Basically there are 3 kinds of reports would trigger the report with detected TCP no-Flag attack:
1. Report with FIN mark only  
2. Report with FIN, URG, and PSH at the same time
3. Report without any TCP mark

Large ping attack happens when the gateway detects the packets over 1024 Byte, and some of them are normal if they do not affect the use of network.
If the reports with large ping attack did not influence your network, then you can just ignore it and pay attention to our website with newer firmware later which would add the feature to adjust the packet size and detect the origin of the large ping.


So I tested the three options

 

I applied the three filters you suggested to the wireshark trace with the no-Flag alerts.

 

  1.Report with FIN mark only

 

tcp.flags == 0x001

0 0 0 0  0 0 0 1



2. Report with FIN, URG, and PSH at the same time

 

tcp.flags == 0x029

 

0 0 1 0  1 0 0 1


3. Report without any TCP flags set

tcp.flags == 0x000

 

0 0 0 0  0 0 0 0

 

((tcp.flags == 0x000 ) || (tcp.flags == 0x001) || (tcp.flags == 0x029))

 

No packets in were returned when I applied the filter to the capture.
 

And what say support?

 

a) Is your network affected, and b) a firmware update is coming.

So I'm sort of done with support for now.

 

 

  1  
  1  
#7
Options
Re:TCP no-Flag attack
2023-05-27 21:56:46 - last edited 2023-05-28 00:01:03

  @Lurk 

 

So, prior to the last firmware update I took on my ER605 Router, I could not tell what "Large Pings" were coming from. Now that I can see the IPs that has revealed that ALL of my Roku devices are the source of friendly fire. Which is somewhat relieving that it's not a true attack. Though curious why so much chatter is needed to the mother ship by Roku.

 

But...prior to the update I could not identify the source IP for the large pings. Now I can, but now I have these "ER605_Router detected TCP no-Flag attack and dropped 3 packets" logs now...but no source.  So it's almost like I traded one unknown for another. I suspect it's still probably ROKU... but not sure. 

  0  
  0  
#8
Options
Re:TCP no-Flag attack
2023-05-29 02:57:54

  @Jase96 

 

What controller are you using to get the IP information on the large Ping Attack?  My controller still does not support it even with the latest firmware.  Using a hardware controllers.

 

Thanks

 

  0  
  0  
#9
Options
Re:TCP no-Flag attack
2023-05-29 03:20:15

  @Lurk 

You can check where did the "TCP no-flag" attack came from using Wireshark. Mostly, it came from your ISP so mirror your WAN port to any available port and use Wireshark with this filter:
tcp.flags == 0x000

 

or use this filter to include TCP SYN+FIN attack:
tcp.flags == 0x000 || tcp.flags == 0x003 

  1  
  1  
#10
Options
Re:TCP no-Flag attack
2023-05-31 02:14:24

  @mlburgoon 

 

I am using a hardware controller. OC200 running v5.9.32. That manages the ER605 v1. I also have  a 16 port and 8 port Jetstream switches and 3 EAP WAPs 

  0  
  0  
#11
Options