TCP No Flag attack - WAN Ping attack - TCP SYN-and-FIN packets attack

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

TCP No Flag attack - WAN Ping attack - TCP SYN-and-FIN packets attack

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
TCP No Flag attack - WAN Ping attack - TCP SYN-and-FIN packets attack
TCP No Flag attack - WAN Ping attack - TCP SYN-and-FIN packets attack
2023-06-24 00:10:45 - last edited 2023-11-09 02:24:10
Tags: #Firmware Update #Firewall
Model: ER605 (TL-R605)  
Hardware Version: V1
Firmware Version: 1.3.0 Build 20230511 Rel.51317

Hi All, 

 

Getting frustrated with the lack of interest TP-Link is displaying in relation to what I previously regarded as a much needed solution set for the marketplace. However growing increasingly frustrated and annoyed watching TP-Link continuing to innovative and release new products yet fail to offer timely firmware and software development cycles. Instead leaving customers with a half-baked solution set. One painful response from TP-Link "That functionality is currently only available in standalone configuration" basically acknowledging the Omada lacks the functionality to support their customers in the daily operation of their networks.

 

I recently updated the firmware for the ER605, was away from the network for a week returning to a very sluggish network. Performed Ookla speedtest from memory was receiving 3mbps down and 0mbps up. I opened Omada not that I was expecting Omada software to have tools or analytics to assist in determining where a fault may lye. 

 

To my surprise Omada actually had logged a massive list of TCP No Flag Attacks starting back at the day I had upgraded the firmware. 

 

I called my ISP to discuss the speed issues and if they were able to offer any actionable information to assist in assessing if these new event logs were indeed something that needed deeper attention or were false flags generated by bug in firmware.  The ISP asked me to kick the connection assessing if that would resolve the speed issues.  The speed issues were resolved, however they were unable to offer any further insights.

 

Upon further research it was clear I wasn't the only TP-Link Omada customer facing this issue with post spanning several years. A recent post from @Hank21 Solution to ER605 V1 1.3.0 Firmware Got Many Logs of "TCP no-Flag attack" Issue

 

After further investigation, it is confirmed that ER605 v1 1.3.0 firmware has added detection and interception for TCP no-Flag attacks from the WAN IN direction. So the warnings of "TCP no-Flag attack" started after 1.3.0 are probably coming from the WAN side.

 

Following this KB, I noticed I had the solution already in place. Additionally,  only a bandaid fix and a clear display of little interest in protecting the security of their customers networks. 

 

If this kind of log is NOT much frequently reported and did not affect your normal use of the network, you may just keep an eye on it, and no need to worry about it too much.

 

If the logs of "TCP no-flag attack" is very frequent and you want to stop them, you may go to Settings > Network Security > Attack Defense on the controller, and disable the Block TCP Scan (Stealth FIN/Xmas/Null) option. 

​​

My system had this setting enabled already therefore I assume there is a bug in that functionality or there is a wider problem at hand. I keep reading and yet another display of dismissal and little interest in protecting the security of their customers networks.

 

If you would like to figure out the source of the detected attack, you may use Wireshark to trace the attack. Note: If you use Wireshark, you need to set Port Mirroring on the router to capture packets. 

 

By this time, maybe a week has passed. There is now a pattern starting to emerge between an influx of event logs and the loss of connectivity speed. I downloaded Wireshark, started identifying addresses which were commonly used on the network. I started to go through a process of elimination shutting down everything down NAS, VM server, 3D printers, Mobile devices. Unfortunately to no resolution outside of discovering Wireshark believed the attacks were coming from home 127.0.0.1 and now going against TP-Link's investigation;

 

After further investigation, it is confirmed that ER605 v1 1.3.0 firmware has added detection and interception for TCP no-Flag attacks from the WAN IN direction. So the warnings of "TCP no-Flag attack" started after 1.3.0 are probably coming from the WAN side.

 

However, I really wanted to be certain these were an internal issues and well shutting down the majority of connected devices only leaving the Laptop, and home automation devices didn't exactly give me any clearer direction. 

 

Tried to find how to switch port mirroring on, only finding posts stating it couldn't be done via Omada. Frustrated a day or so went by and I stumbled across a port mirroring setting in Omada. In a bit of desperation I enabled the setting and kept an eye on the event log with no apparent impacts to the event log over a day or so. After being away from the network again for some time I opened Omada in hopes of a new firmware or toolset being available to assist with the issue. 

 

Something has changed not only am I still primarily receiving "detected TCP no-Flag attack and dropped 1 packets." As of Jun 12, 2023 05:19:30 am I'm now receiving "detected WAN Ping attack from 172.93.220.21 and dropped 425 packets." and "detected TCP SYN-and-FIN packets attack and dropped 1 packets."

 

These however are far fewer and spread out compared to the TCP no-Flag. The IP addresses are also interesting as they rotate through about 4 or 5 different IP addresses and at face value appearing to be services or not for profit associations for the backbone of the internet except AWS and Vultr. Maybe the attacks are just being routed via these services... 

 

IP Addresses;

172.93.220.21 : OrgName: Nexeon Technologies, Inc.

62.113.202.75 : Organization: RIPE Network Coordination Centre (RIPE)

62.113.202.78 : Organization: RIPE Network Coordination Centre (RIPE)

172.93.222.152 : Nexeon Technologies, Inc

8.213.137.21 : Organization: Asia Pacific Network Information Centre (APNIC)

13.245.79.122 : Amazon Data Services South Africa AMAZON-CPT

103.199.18.125  : Asia Pacific Network Information Centre

45.32.187.164 : https://www.  vultr.  com/company

 

So then what are the next steps? 

 

 

 

NBN / ISP modem - dedicated IP

ER605 v1.0 - Firmware v 1.3.0

OC200 v2.0 - Firmware v 2.9.3 - Controller v 5.9.32

TL-SG3428 v2.0 - Firmware v 2.0.10

EAP610(US) v1.0 - Firmware v 1.0.4

TL-SG108PE - Firmware unsure not in Omada 

 

Basic implementation 

 

Wizz, Arlec, Tyua, and Shelly Devices behind light and power switches, Sungrow Solar inverters x2 connected to AP on 2.5ghz IOT SSID

 

Mobile Phones / Tablets / laptops on 5ghz home ssid

 

TL-SG3428

TVs, Fibaro Home Centre 3, EAP610 via injector, TL-SG108PE, Proxmox and TrueNAS Scale.

 

Proxmox running Home Assistant (mariaDB & Influx db) llms, development environments 

 

TL-SG108PE

Laser 2D printer, SLA 3D printer. 

 

  1      
  1      
#1
Options
6 Reply
Re:TCP No Flag attack - WAN Ping attack - TCP SYN-and-FIN packets attack
2023-06-24 04:21:30

  @Npallavi I am also very frustrated at the lack of support provided by TP-Link. I have the same issues with an ER605 and now an ER707-M2. What are supposed to be business grade products just seem half-baked and there are constant issues when new firmware is released. One thing gets fixed and another is broken and my guess this is through the lack of a proper testing methodology. I am at the point of just migrating my network off TP-Link altogether now because nothing is ever fixed. My ER707-M2 which is a newer router fails any GRC Stealth testing. This is basic stuff that should be working in a business grade product. angry

  0  
  0  
#2
Options
Re:TCP No Flag attack - WAN Ping attack - TCP SYN-and-FIN packets attack
2023-06-27 09:21:11 - last edited 2023-06-27 09:21:30

Hello @Npallavi,

 

Thank you very much for reaching out to us and sharing all the sufficient tests you've performed in the network. We hear your concerns and would like to help.

 

I called my ISP to discuss the speed issues and if they were able to offer any actionable information to assist in assessing if these new event logs were indeed something that needed deeper attention or were false flags generated by bug in firmware.  The ISP asked me to kick the connection assessing if that would resolve the speed issues.  The speed issues were resolved, however they were unable to offer any further insights.

 

I found you're replying on this thread mentioned that the speed drops after upgrading the ER605 firmware to the latest 1.3.0 version, is the speed normal now?

We would like to help further if there is still an issue.

 

Npallavi wrote

IP Addresses;

172.93.220.21 : OrgName: Nexeon Technologies, Inc.

62.113.202.75 : Organization: RIPE Network Coordination Centre (RIPE)

62.113.202.78 : Organization: RIPE Network Coordination Centre (RIPE)

172.93.222.152 : Nexeon Technologies, Inc

8.213.137.21 : Organization: Asia Pacific Network Information Centre (APNIC)

13.245.79.122 : Amazon Data Services South Africa AMAZON-CPT

103.199.18.125  : Asia Pacific Network Information Centre

45.32.187.164 : https://www.  vultr.  com/company

 

Regarding the 'WAN Ping' or 'TCP SYN-and-FIN packets attack' logs that are detected and recorded on the router, that seems more likely some third-party servers from the outside internet network. As per your above description, you have various types of home automation, NAS, and TVs in the network, and they would interact with the cloud servers or service servers constantly, so those behaviors and interactions are recorded in the router logs. After discussing with the engineering team, I was informed that the router may detect the packets as outside-originated requests if the servers don't respond timely in a specific time period, and the packets' attack logs would show up. You may investigate it further by capturing the packets.

As mentioned earlier in the community that this new version of ER605 has added an optimization that records and displays all of these behaviors, which was not explicitly displayed in the previous versions. By this I mean, these behaviors and interactions are existing just like before you upgrade the ER605 firmware, it's just showing up explicitly now in the router logs.

 

Npallavi wrote

Tried to find how to switch port mirroring on, only finding posts stating it couldn't be done via Omada. Frustrated a day or so went by and I stumbled across a port mirroring setting in Omada. In a bit of desperation I enabled the setting and kept an eye on the event log with no apparent impacts to the event log over a day or so. After being away from the network again for some time I opened Omada in hopes of a new firmware or toolset being available to assist with the issue. 

 

As per the Port Mirroring configuration, there might be some misunderstanding. You can configure it both in Standalone Mode and Controller mode. And you can refer to the following steps to configure it in Controller Mode.

 

You may Click on the ER605 in Device List, go to Ports in the Details window, and refer to this screenshot:

 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  1  
  1  
#3
Options
Re:TCP No Flag attack - WAN Ping attack - TCP SYN-and-FIN packets attack
2023-06-27 09:42:48

Hi  @Hank21

 

Thanks for writing back to me. 

 

Regards the log events with an IP- the concern is that for your theory to be correct I should have started to receive these "missed" pings reasonably soon after enabling port mirroring. 

 

One would also have to conclude the log events with an IP would be some what reasonably consistent. 

 

Unfortunately there is nothing consistent about this issue. It has been nearly a week since I archived my logs, since then I have only received "11" No Flag events. 

 

Then I'll go through a period of receiving "100" in a few days. 

 

It's when I receive large batches of No Flag events when bandwidth from ISP is impacted. To which the resolution is to kick the connection and wait for the ISP to re-establish my public IP. 

 

There is no trends, that I have determined are impacted by my use of the network such as Downloading, Backups, or setting up new services 

  0  
  0  
#4
Options
Re:TCP No Flag attack - WAN Ping attack - TCP SYN-and-FIN packets attack
2023-06-28 08:23:08

Hello @Npallavi,

 

To better assist you, I've created a support ticket via your registered email address, and escalated it to our support engineer to look into the issue. The ticket ID is TKID230644384, please check your email box and ensure the support email is well received. Thanks!

Once the issue is addressed or resolved, welcome to update this topic thread with your solution to help others who may encounter the same issue as you did.

 

Many thanks for your great cooperation and patience!

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  1  
  1  
#5
Options
Re:TCP No Flag attack - WAN Ping attack - TCP SYN-and-FIN packets attack
2023-07-26 02:05:38

  @Npallavi Were you able to resolve this? I am also receiving WAN Ping, TCP no-Flag, and SYN-and-FIN attacks like this after the 1.3.0 update from some of the IP addresses that you listed. I'm not quite sure how to begin narrowing it down and would appreciate any feedback you can provide!

  0  
  0  
#6
Options
Re:TCP No Flag attack - WAN Ping attack - TCP SYN-and-FIN packets attack
2023-07-26 06:45:14

Hi @msgetz 

Thanks for posting in our business forum.

In recent firmware upgrades, we added this to the log system and we changed the trigger threshold. For the new firmware coming in the near future, more info will be added to the Controller system. You probably face different kinds of logs telling you about your network status.

However, I don't think you need to worry about too much on this. Unless you literally experience some unstable or strange network problems.

If you want to narrow down this, you gotta use Wireshark to capture the suspicious packets with the help of port mirroring. You can refer to the reply from Hank.

In your local network, any transmission contains both an IP address and a MAC address. You can use Wireshark to filter the IP address listed in the log and try to find out the MAC address of the device, which eventually can lead to you finding the devices.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  4  
  4  
#7
Options