TCP No Flag attack - WAN Ping attack - TCP SYN-and-FIN packets attack
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Hi All,
Getting frustrated with the lack of interest TP-Link is displaying in relation to what I previously regarded as a much needed solution set for the marketplace. However growing increasingly frustrated and annoyed watching TP-Link continuing to innovative and release new products yet fail to offer timely firmware and software development cycles. Instead leaving customers with a half-baked solution set. One painful response from TP-Link "That functionality is currently only available in standalone configuration" basically acknowledging the Omada lacks the functionality to support their customers in the daily operation of their networks.
I recently updated the firmware for the ER605, was away from the network for a week returning to a very sluggish network. Performed Ookla speedtest from memory was receiving 3mbps down and 0mbps up. I opened Omada not that I was expecting Omada software to have tools or analytics to assist in determining where a fault may lye.
To my surprise Omada actually had logged a massive list of TCP No Flag Attacks starting back at the day I had upgraded the firmware.
I called my ISP to discuss the speed issues and if they were able to offer any actionable information to assist in assessing if these new event logs were indeed something that needed deeper attention or were false flags generated by bug in firmware. The ISP asked me to kick the connection assessing if that would resolve the speed issues. The speed issues were resolved, however they were unable to offer any further insights.
Upon further research it was clear I wasn't the only TP-Link Omada customer facing this issue with post spanning several years. A recent post from @Hank21 Solution to ER605 V1 1.3.0 Firmware Got Many Logs of "TCP no-Flag attack" Issue
After further investigation, it is confirmed that ER605 v1 1.3.0 firmware has added detection and interception for TCP no-Flag attacks from the WAN IN direction. So the warnings of "TCP no-Flag attack" started after 1.3.0 are probably coming from the WAN side.
Following this KB, I noticed I had the solution already in place. Additionally, only a bandaid fix and a clear display of little interest in protecting the security of their customers networks.
If this kind of log is NOT much frequently reported and did not affect your normal use of the network, you may just keep an eye on it, and no need to worry about it too much.
If the logs of "TCP no-flag attack" is very frequent and you want to stop them, you may go to Settings > Network Security > Attack Defense on the controller, and disable the Block TCP Scan (Stealth FIN/Xmas/Null) option.
My system had this setting enabled already therefore I assume there is a bug in that functionality or there is a wider problem at hand. I keep reading and yet another display of dismissal and little interest in protecting the security of their customers networks.
If you would like to figure out the source of the detected attack, you may use Wireshark to trace the attack. Note: If you use Wireshark, you need to set Port Mirroring on the router to capture packets.
By this time, maybe a week has passed. There is now a pattern starting to emerge between an influx of event logs and the loss of connectivity speed. I downloaded Wireshark, started identifying addresses which were commonly used on the network. I started to go through a process of elimination shutting down everything down NAS, VM server, 3D printers, Mobile devices. Unfortunately to no resolution outside of discovering Wireshark believed the attacks were coming from home 127.0.0.1 and now going against TP-Link's investigation;
After further investigation, it is confirmed that ER605 v1 1.3.0 firmware has added detection and interception for TCP no-Flag attacks from the WAN IN direction. So the warnings of "TCP no-Flag attack" started after 1.3.0 are probably coming from the WAN side.
However, I really wanted to be certain these were an internal issues and well shutting down the majority of connected devices only leaving the Laptop, and home automation devices didn't exactly give me any clearer direction.
Tried to find how to switch port mirroring on, only finding posts stating it couldn't be done via Omada. Frustrated a day or so went by and I stumbled across a port mirroring setting in Omada. In a bit of desperation I enabled the setting and kept an eye on the event log with no apparent impacts to the event log over a day or so. After being away from the network again for some time I opened Omada in hopes of a new firmware or toolset being available to assist with the issue.
Something has changed not only am I still primarily receiving "detected TCP no-Flag attack and dropped 1 packets." As of Jun 12, 2023 05:19:30 am I'm now receiving "detected WAN Ping attack from 172.93.220.21 and dropped 425 packets." and "detected TCP SYN-and-FIN packets attack and dropped 1 packets."
These however are far fewer and spread out compared to the TCP no-Flag. The IP addresses are also interesting as they rotate through about 4 or 5 different IP addresses and at face value appearing to be services or not for profit associations for the backbone of the internet except AWS and Vultr. Maybe the attacks are just being routed via these services...
IP Addresses;
172.93.220.21 : OrgName: Nexeon Technologies, Inc.
62.113.202.75 : Organization: RIPE Network Coordination Centre (RIPE)
62.113.202.78 : Organization: RIPE Network Coordination Centre (RIPE)
172.93.222.152 : Nexeon Technologies, Inc
8.213.137.21 : Organization: Asia Pacific Network Information Centre (APNIC)
13.245.79.122 : Amazon Data Services South Africa AMAZON-CPT
103.199.18.125 : Asia Pacific Network Information Centre
45.32.187.164 : https://www. vultr. com/company
So then what are the next steps?
NBN / ISP modem - dedicated IP
ER605 v1.0 - Firmware v 1.3.0
OC200 v2.0 - Firmware v 2.9.3 - Controller v 5.9.32
TL-SG3428 v2.0 - Firmware v 2.0.10
EAP610(US) v1.0 - Firmware v 1.0.4
TL-SG108PE - Firmware unsure not in Omada
Basic implementation
Wizz, Arlec, Tyua, and Shelly Devices behind light and power switches, Sungrow Solar inverters x2 connected to AP on 2.5ghz IOT SSID
Mobile Phones / Tablets / laptops on 5ghz home ssid
TL-SG3428
TVs, Fibaro Home Centre 3, EAP610 via injector, TL-SG108PE, Proxmox and TrueNAS Scale.
Proxmox running Home Assistant (mariaDB & Influx db) llms, development environments
TL-SG108PE
Laser 2D printer, SLA 3D printer.
@Npallavi I am also very frustrated at the lack of support provided by TP-Link. I have the same issues with an ER605 and now an ER707-M2. What are supposed to be business grade products just seem half-baked and there are constant issues when new firmware is released. One thing gets fixed and another is broken and my guess this is through the lack of a proper testing methodology. I am at the point of just migrating my network off TP-Link altogether now because nothing is ever fixed. My ER707-M2 which is a newer router fails any GRC Stealth testing. This is basic stuff that should be working in a business grade product. 
Hello @Npallavi,
Thank you very much for reaching out to us and sharing all the sufficient tests you've performed in the network. We hear your concerns and would like to help.
I found you're replying on this thread mentioned that the speed drops after upgrading the ER605 firmware to the latest 1.3.0 version, is the speed normal now?
We would like to help further if there is still an issue.
Regarding the 'WAN Ping' or 'TCP SYN-and-FIN packets attack' logs that are detected and recorded on the router, that seems more likely some third-party servers from the outside internet network. As per your above description, you have various types of home automation, NAS, and TVs in the network, and they would interact with the cloud servers or service servers constantly, so those behaviors and interactions are recorded in the router logs. After discussing with the engineering team, I was informed that the router may detect the packets as outside-originated requests if the servers don't respond timely in a specific time period, and the packets' attack logs would show up. You may investigate it further by capturing the packets.
As mentioned earlier in the community that this new version of ER605 has added an optimization that records and displays all of these behaviors, which was not explicitly displayed in the previous versions. By this I mean, these behaviors and interactions are existing just like before you upgrade the ER605 firmware, it's just showing up explicitly now in the router logs.
As per the Port Mirroring configuration, there might be some misunderstanding. You can configure it both in Standalone Mode and Controller mode. And you can refer to the following steps to configure it in Controller Mode.
You may Click on the ER605 in Device List, go to Ports in the Details window, and refer to this screenshot:
