Solution Solution to ER605 V1 1.3.0 Firmware Got Many Logs of "TCP no-Flag attack" Issue
This Article Applies to: ER605 v1 _1.3.0_Build 20230511
Issue Description/Phenomenon:
Recently we noticed that some forum users were getting many "Router/Gateway detected TCP no-Flag attack and dropped x packets" warnings after updating the ER605 v1 to 1.3.0 firmware.
Related Post:
Recent TCP no-Flag attacks
Since 1.3.0 ER605 V1 gets thousands of TCP no-Flag attack
Upon further investigation, it is confirmed that ER605 v1 1.3.0 firmware now includes detection and interception capabilities for TCP no-Flag attacks from the WAN IN direction. As a result, any warnings regarding "TCP no-Flag attacks" that have appeared after the 1.3.0 update are likely originating from the WAN side, although the possibility that they may originate from the LAN side cannot be completely ruled out.
Available Solutions:
It's planned to optimize the event notification of "TCP no-Flag attack" in future iterations of the ER605 v1.
The message "TCP no-Flag attack and dropped X packets" indicates that the router's firewall is functioning properly. When the router detects a TCP packet without a flag, it discards it to prevent potential harm to the system. If you don't see this message frequently in the logs and it doesn't affect your network usage, it's probably nothing to worry about. Simply monitor it and take appropriate action if necessary.
If the logs of "TCP no-flag attack" is very frequent and you want to stop them, you may go to Settings > Network Security > Attack Defense on the controller, and disable the Block TCP Scan (Stealth FIN/Xmas/Null) option.
If you would like to figure out the source of the detected attack, you may use Wireshark to trace the attack.
The TCP no-Flag attack packet filtering rules are as follows:
-
Packets with only the FIN flag
-
Packets containing both FIN, URG, and PSH
-
Packets without any TCP flags
Note: If you use Wireshark, you need to set Port Mirroring on the router to capture packets.
Feedback:
If this was helpful, welcome to give us Kudos by clicking the upward triangle below.
If there is anything unclear in this solution post, please feel free to comment below.
To submit a new different issue, please Start a New Thread for better assistance.
Thank you for your support and contribution in TP-Link Community!