Solution to ER605 V1 1.3.0 Firmware Got Many Logs of "TCP no-Flag attack" Issue

Solution to ER605 V1 1.3.0 Firmware Got Many Logs of "TCP no-Flag attack" Issue

Solution to ER605 V1 1.3.0 Firmware Got Many Logs of "TCP no-Flag attack" Issue
Solution to ER605 V1 1.3.0 Firmware Got Many Logs of "TCP no-Flag attack" Issue
2023-06-02 06:16:24 - last edited 2023-06-28 00:51:26

This Article Applies to: ER605 v1 _1.3.0_Build 20230511

Issue Description/Phenomenon:

 

Recently we noticed that some forum users were getting many "Router/Gateway detected TCP no-Flag attack and dropped x packets" warnings after updating the ER605 v1 to 1.3.0 firmware.

 

 

Related Post:

 

Recent TCP no-Flag attacks

Since 1.3.0 ER605 V1 gets thousands of TCP no-Flag attack

 

Upon further investigation, it is confirmed that ER605 v1 1.3.0 firmware now includes detection and interception capabilities for TCP no-Flag attacks from the WAN IN direction. As a result, any warnings regarding "TCP no-Flag attacks" that have appeared after the 1.3.0 update are likely originating from the WAN side, although the possibility that they may originate from the LAN side cannot be completely ruled out.

 

 

Available Solutions:

 

It's planned to optimize the event notification of "TCP no-Flag attack" in future iterations of the ER605 v1.

 

The message "TCP no-Flag attack and dropped X packets" indicates that the router's firewall is functioning properly. When the router detects a TCP packet without a flag, it discards it to prevent potential harm to the system. If you don't see this message frequently in the logs and it doesn't affect your network usage, it's probably nothing to worry about. Simply monitor it and take appropriate action if necessary.

 

If the logs of "TCP no-flag attack" is very frequent and you want to stop them, you may go to Settings > Network Security > Attack Defense on the controller, and disable the Block TCP Scan (Stealth FIN/Xmas/Null) option. 

 

 

If you would like to figure out the source of the detected attack, you may use Wireshark to trace the attack.

 

The TCP no-Flag attack packet filtering rules are as follows:

  • Packets with only the FIN flag

  • Packets containing both FIN, URG, and PSH

  • Packets without any TCP flags

 

Note: If you use Wireshark, you need to set Port Mirroring on the router to capture packets. 

 

 

Feedback:

 

If this was helpful, welcome to give us Kudos by clicking the upward triangle below.

If there is anything unclear in this solution post, please feel free to comment below.

 

To submit a new different issue, please Start a New Thread for better assistance.

Thank you for your support and contribution in TP-Link Community!

 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  12      
  12      
#1
Options
6 Reply
Re:Solution to ER605 V1 1.3.0 Firmware Got Many Logs of "TCP no-Flag attack" Issue
2023-06-04 05:11:53

  @Hank21 

Unfortunately this is a Band-Aid fix for a solution set which has hugely disappointed their user due to inferior capabilities. 

I too am receiving theses no flag events, however they are also coinciding with isp speed issues. 

 

Due to the fact im hardware controlled I cant port mirror and use wireshark to collect evidence to provide to the ISP. 

 

Not happy with TP-link at all, I will also be moving off the platform in the near futures if things don't change and improve with this solution set

  8  
  8  
#2
Options
Re:Solution to ER605 V1 1.3.0 Firmware Got Many Logs of "TCP no-Flag attack" Issue
2023-06-04 06:10:41

  @Hank21 

Also please note I have already enabled these settings prior to this issue appearing, this is also causing ISP speed issues 

 



  5  
  5  
#3
Options
Re:Solution to ER605 V1 1.3.0 Firmware Got Many Logs of "TCP no-Flag attack" Issue
2023-10-11 15:06:34
I've disabled the Block TCP Scan (Stealth FIN/Xmas/Null) option, yet I continue to get flooded with these notifications. How can I stop them?
Controller: OC200 V1 Router: ER605 v1.0 AP: EAP610 (US) v1.0
  0  
  0  
#4
Options
Re:Solution to ER605 V1 1.3.0 Firmware Got Many Logs of "TCP no-Flag attack" Issue
2023-10-12 01:43:47

Hi @Wild-Wanderer 

Thanks for posting in our business forum.

Wild-Wanderer wrote

I've disabled the Block TCP Scan (Stealth FIN/Xmas/Null) option, yet I continue to get flooded with these notifications. How can I stop them?

Be specific about your question. Please provide a picture of the logs and your configuration in the firewall settings. I also recommend you start a new thread to illustrate your issue.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#5
Options
Re:Solution to ER605 V1 1.3.0 Firmware Got Many Logs of "TCP no-Flag attack" Issue
2023-10-12 02:54:36

  @Clive_A I see I confused the warning messages. I am receiving "TCP SYN-and-FIN packets attack" warnings. That said, I agree with the commenter who said that disabling the protection is not the desired "solution." There should be a way to disable these specific notifications without disabling the protection. 

Controller: OC200 V1 Router: ER605 v1.0 AP: EAP610 (US) v1.0
  0  
  0  
#6
Options
Re:Solution to ER605 V1 1.3.0 Firmware Got Many Logs of "TCP no-Flag attack" Issue
2023-10-12 03:34:43

Hi @Wild-Wanderer 

Thanks for posting in our business forum.

Wild-Wanderer wrote

  @Clive_A I see I confused the warning messages. I am receiving "TCP SYN-and-FIN packets attack" warnings. That said, I agree with the commenter who said that disabling the protection is not the desired "solution." There should be a way to disable these specific notifications without disabling the protection. 

This is not the same issue. You should start a new thread.

 

I am pointing you in the right direction. You are facing an issue with the SYN and FIN log that differs from the OP.

If you are worried that disabling the firewall may put your network in danger, then you should contact your ISP or keep the current firewall settings. The log is recording and telling you the facts and if you are uncomfortable with this repetitive logging, you should consider asking your ISP to change your IP address which you may under an attack. Or you should use some kind of third-party cloud service to hide or protect your IP from attacks.

 

Or you can disable the log from sending this. It's intuitive to find the options on the Logs page. You see the notifications and you can modify what is to be displayed in the log. This is quite customizable and intuitive.

 

 

The product you have is a generic router and it has a limit on protecting your network. We can protect you from the basic attacks but we never guarantee you that you are free from any attacks.

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#7
Options