Solution Solution to ER605 V1 1.3.0 Firmware Got Many Logs of "TCP no-Flag attack" Issue
This Article Applies to: ER605 v1 _1.3.0_Build 20230511
Issue Description/Phenomenon:
Recently we noticed that some forum users were getting many "Router/Gateway detected TCP no-Flag attack and dropped x packets" warnings after updating the ER605 v1 to 1.3.0 firmware.
Related Post:
Recent TCP no-Flag attacks
Since 1.3.0 ER605 V1 gets thousands of TCP no-Flag attack
Upon further investigation, it is confirmed that ER605 v1 1.3.0 firmware now includes detection and interception capabilities for TCP no-Flag attacks from the WAN IN direction. As a result, any warnings regarding "TCP no-Flag attacks" that have appeared after the 1.3.0 update are likely originating from the WAN side, although the possibility that they may originate from the LAN side cannot be completely ruled out.
Available Solutions:
It's planned to optimize the event notification of "TCP no-Flag attack" in future iterations of the ER605 v1.
The message "TCP no-Flag attack and dropped X packets" indicates that the router's firewall is functioning properly. When the router detects a TCP packet without a flag, it discards it to prevent potential harm to the system. If you don't see this message frequently in the logs and it doesn't affect your network usage, it's probably nothing to worry about. Simply monitor it and take appropriate action if necessary.
If the logs of "TCP no-flag attack" is very frequent and you want to stop them, you may go to Settings > Network Security > Attack Defense on the controller, and disable the Block TCP Scan (Stealth FIN/Xmas/Null) option.
If you would like to figure out the source of the detected attack, you may use Wireshark to trace the attack.
The TCP no-Flag attack packet filtering rules are as follows:
-
Packets with only the FIN flag
-
Packets containing both FIN, URG, and PSH
-
Packets without any TCP flags
Note: If you use Wireshark, you need to set Port Mirroring on the router to capture packets.
Feedback:
If this was helpful, welcome to give us Kudos by clicking the upward triangle below.
If there is anything unclear in this solution post, please feel free to comment below.
To submit a new different issue, please Start a New Thread for better assistance.
Thank you for your support and contribution in TP-Link Community!
Thanks for posting in our business forum.
This is not the same issue. You should start a new thread.
I am pointing you in the right direction. You are facing an issue with the SYN and FIN log that differs from the OP.
If you are worried that disabling the firewall may put your network in danger, then you should contact your ISP or keep the current firewall settings. The log is recording and telling you the facts and if you are uncomfortable with this repetitive logging, you should consider asking your ISP to change your IP address which you may under an attack. Or you should use some kind of third-party cloud service to hide or protect your IP from attacks.
Or you can disable the log from sending this. It's intuitive to find the options on the Logs page. You see the notifications and you can modify what is to be displayed in the log. This is quite customizable and intuitive.
The product you have is a generic router and it has a limit on protecting your network. We can protect you from the basic attacks but we never guarantee you that you are free from any attacks.
