TCP no-Flag attack
These messages are popping up every 10 minutes.
RT01 detected TCP no-Flag attack and dropped 8 packets. |
Dec 26, 2022 03:25:06 pm |
|
RT01 detected TCP no-Flag attack and dropped 8 packets. |
Dec 26, 2022 03:15:00 pm |
|
RT01 detected TCP no-Flag attack and dropped 7 packets. |
Dec 26, 2022 03:04:51 pm |
|
RT01 detected TCP no-Flag attack and dropped 8 packets. |
Dec 26, 2022 02:54:45 pm |
|
RT01 detected TCP no-Flag attack and dropped 8 packets. |
Dec 26, 2022 02:44:39 pm |
|
RT01 detected TCP no-Flag attack and dropped 8 packets. |
Dec 26, 2022 02:34:33 pm |
|
RT01 detected TCP no-Flag attack and dropped 8 packets. |
Dec 26, 2022 02:24:25 pm |
|
RT01 detected TCP no-Flag attack and dropped 8 packets. |
Dec 26, 2022 02:14:18 pm |
I was using ER605 v1 and have now changed to ER605 v2, same problem.
I'm trying to locate the origin of the packets however so far I cannot identify.
I captured traffic between the router and modem using wireshark, after connecting the router and modem to a port based vlan so I could monitor the incoming/outgoing ISP traffic, so I could see packets before they get to the router and get dropped.
Using either of these wireshark filters came back with no rows
Block TCP Packets with SYN and FIN Bits Set
(tcp.flags.fin == 1) && (tcp.flags.syn == 1)
Block TCP Packets with FIN Bit but No ACK Bit Set
((tcp.flags.fin == 1)) && (tcp.flags.ack == 0)
I tried a few other filters, like all tcp header flags set to 0, but could not identify the dropped packets.
How can I identify the no-flag packets?
thanks,
Lerwick
Attack defense and firewall settings are below.