TCP No Flag attack - WAN Ping attack - TCP SYN-and-FIN packets attack
Hi All,
Getting frustrated with the lack of interest TP-Link is displaying in relation to what I previously regarded as a much needed solution set for the marketplace. However growing increasingly frustrated and annoyed watching TP-Link continuing to innovative and release new products yet fail to offer timely firmware and software development cycles. Instead leaving customers with a half-baked solution set. One painful response from TP-Link "That functionality is currently only available in standalone configuration" basically acknowledging the Omada lacks the functionality to support their customers in the daily operation of their networks.
I recently updated the firmware for the ER605, was away from the network for a week returning to a very sluggish network. Performed Ookla speedtest from memory was receiving 3mbps down and 0mbps up. I opened Omada not that I was expecting Omada software to have tools or analytics to assist in determining where a fault may lye.
To my surprise Omada actually had logged a massive list of TCP No Flag Attacks starting back at the day I had upgraded the firmware.
I called my ISP to discuss the speed issues and if they were able to offer any actionable information to assist in assessing if these new event logs were indeed something that needed deeper attention or were false flags generated by bug in firmware. The ISP asked me to kick the connection assessing if that would resolve the speed issues. The speed issues were resolved, however they were unable to offer any further insights.
Upon further research it was clear I wasn't the only TP-Link Omada customer facing this issue with post spanning several years. A recent post from @Hank21 Solution to ER605 V1 1.3.0 Firmware Got Many Logs of "TCP no-Flag attack" Issue
After further investigation, it is confirmed that ER605 v1 1.3.0 firmware has added detection and interception for TCP no-Flag attacks from the WAN IN direction. So the warnings of "TCP no-Flag attack" started after 1.3.0 are probably coming from the WAN side.
Following this KB, I noticed I had the solution already in place. Additionally, only a bandaid fix and a clear display of little interest in protecting the security of their customers networks.
If this kind of log is NOT much frequently reported and did not affect your normal use of the network, you may just keep an eye on it, and no need to worry about it too much.
If the logs of "TCP no-flag attack" is very frequent and you want to stop them, you may go to Settings > Network Security > Attack Defense on the controller, and disable the Block TCP Scan (Stealth FIN/Xmas/Null) option.
My system had this setting enabled already therefore I assume there is a bug in that functionality or there is a wider problem at hand. I keep reading and yet another display of dismissal and little interest in protecting the security of their customers networks.
If you would like to figure out the source of the detected attack, you may use Wireshark to trace the attack. Note: If you use Wireshark, you need to set Port Mirroring on the router to capture packets.
By this time, maybe a week has passed. There is now a pattern starting to emerge between an influx of event logs and the loss of connectivity speed. I downloaded Wireshark, started identifying addresses which were commonly used on the network. I started to go through a process of elimination shutting down everything down NAS, VM server, 3D printers, Mobile devices. Unfortunately to no resolution outside of discovering Wireshark believed the attacks were coming from home 127.0.0.1 and now going against TP-Link's investigation;
After further investigation, it is confirmed that ER605 v1 1.3.0 firmware has added detection and interception for TCP no-Flag attacks from the WAN IN direction. So the warnings of "TCP no-Flag attack" started after 1.3.0 are probably coming from the WAN side.
However, I really wanted to be certain these were an internal issues and well shutting down the majority of connected devices only leaving the Laptop, and home automation devices didn't exactly give me any clearer direction.
Tried to find how to switch port mirroring on, only finding posts stating it couldn't be done via Omada. Frustrated a day or so went by and I stumbled across a port mirroring setting in Omada. In a bit of desperation I enabled the setting and kept an eye on the event log with no apparent impacts to the event log over a day or so. After being away from the network again for some time I opened Omada in hopes of a new firmware or toolset being available to assist with the issue.
Something has changed not only am I still primarily receiving "detected TCP no-Flag attack and dropped 1 packets." As of Jun 12, 2023 05:19:30 am I'm now receiving "detected WAN Ping attack from 172.93.220.21 and dropped 425 packets." and "detected TCP SYN-and-FIN packets attack and dropped 1 packets."
These however are far fewer and spread out compared to the TCP no-Flag. The IP addresses are also interesting as they rotate through about 4 or 5 different IP addresses and at face value appearing to be services or not for profit associations for the backbone of the internet except AWS and Vultr. Maybe the attacks are just being routed via these services...
IP Addresses;
172.93.220.21 : OrgName: Nexeon Technologies, Inc.
62.113.202.75 : Organization: RIPE Network Coordination Centre (RIPE)
62.113.202.78 : Organization: RIPE Network Coordination Centre (RIPE)
172.93.222.152 : Nexeon Technologies, Inc
8.213.137.21 : Organization: Asia Pacific Network Information Centre (APNIC)
13.245.79.122 : Amazon Data Services South Africa AMAZON-CPT
103.199.18.125 : Asia Pacific Network Information Centre
45.32.187.164 : https://www. vultr. com/company
So then what are the next steps?
NBN / ISP modem - dedicated IP
ER605 v1.0 - Firmware v 1.3.0
OC200 v2.0 - Firmware v 2.9.3 - Controller v 5.9.32
TL-SG3428 v2.0 - Firmware v 2.0.10
EAP610(US) v1.0 - Firmware v 1.0.4
TL-SG108PE - Firmware unsure not in Omada
Basic implementation
Wizz, Arlec, Tyua, and Shelly Devices behind light and power switches, Sungrow Solar inverters x2 connected to AP on 2.5ghz IOT SSID
Mobile Phones / Tablets / laptops on 5ghz home ssid
TL-SG3428
TVs, Fibaro Home Centre 3, EAP610 via injector, TL-SG108PE, Proxmox and TrueNAS Scale.
Proxmox running Home Assistant (mariaDB & Influx db) llms, development environments
TL-SG108PE
Laser 2D printer, SLA 3D printer.