"detected WAN Ping attack from xxx.xxx.xxx.xxx"

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

"detected WAN Ping attack from xxx.xxx.xxx.xxx"

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
"detected WAN Ping attack from xxx.xxx.xxx.xxx"
"detected WAN Ping attack from xxx.xxx.xxx.xxx"
2023-08-05 06:52:42 - last edited 2023-10-31 05:20:10
Tags: #ACL
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.2.0 Build 20230629 Rel.64012

I have Omada SDN 5.9.31.

Is there anything else I should do like changing the setting inside Setting > Network Security? The settings are Default from installation.

 

5 different IPs attack from WAN.

 

UPDATE on 2023-10-31:

 

New spamming IPs other than the original post IP addresses.

 

These random IPs now are from 159.138.0.1/23 and 101.44.0.1/23 and 47.236.0.1/23. They are from Huawei HongKong Clouds, HUAWEI CLOUDS and Alibaba Cloud LLC. I guess someone on my network is using Chinese techs.

 

So I had update my Public IP and these IP address list to block these IPs from WAN constantly.

  2      
  2      
#1
Options
1 Accepted Solution
Re:"detected WAN Ping attack from xxx.xxx.xxx.xxx"-Solution
2023-08-08 05:41:42 - last edited 2023-08-11 07:45:11

Hi @YuukiA

WAN IN ACL, use network group for directions. SRC is the U.S IP range and DST your WAN IP. Will it block that? No more logs?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#6
Options
12 Reply
Re:"detected WAN Ping attack from xxx.xxx.xxx.xxx"
2023-08-05 19:41:53

  @YuukiA 

 

Are the IP addresses internal or external? 

 

Example, internal Class C, 192.168.1.XXX.

 

I have many sites with many routers setup now.  Most get this message, but with public IP's. I have 2 sites setting behind ATT modems that can't do true bridging. They do get public IPs and proper NAT. But I see many of these alerts, with the private IP of the modem.

 

detected WAN Ping attack from 192.168.0.254  ( 0.254 is the IP of the ATT modem ).

 

So, I'm just wondering if all your "from " IPs are publics or if some are internal.

  0  
  0  
#2
Options
Re:"detected WAN Ping attack from xxx.xxx.xxx.xxx"
2023-08-06 06:22:04

  @DaKings 

 

All external (Public IP side). From the WAN side.

  0  
  0  
#3
Options
Re:"detected WAN Ping attack from xxx.xxx.xxx.xxx"
2023-08-07 02:32:32

Hi @YuukiA 

Thanks for posting in our business forum.

Does this have a negative effect on your network? If yes, then you should consider adding an ACL rule to block them.

Have you tried to pinpoint the source of these IP addresses? Known or unknown? Geo IP of them?

What I can tell is that someone tried to ping you, or attack you by flooding with ping. Could be DDOS.

 

The router itself can identify and block them. Unless there is a serious and negative effect on your network, you don't have to worry too much.

If you have port forwarding rules, you probably should set up authentication for your services.

Common network attack would be ping first, and, next, scan ports, and if the port is open and without any security, there is a danger that they break in your network and pose a threat.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  2  
  2  
#4
Options
Re:"detected WAN Ping attack from xxx.xxx.xxx.xxx"
2023-08-07 13:10:23

  @Clive_A 

 

> Does this have a negative effect on your network?

Not really sure yet. But this morning at 7 AM, my ER605 v2 is completed disconnected on the system. I did not realize this until 7 PM. I rebooted the entire system from router, switch, raspberry pi, etc. And another WAN Ping attack (around 7:36 PM) is logged in my event from another unknown IP address.

 

 

---

 

 

> If yes, then you should consider adding an ACL rule to block them.

Working on now. Looking for a guide on this right now.

 

> Have you tried to pinpoint the source of these IP addresses? Known or unknown? Geo IP of them?

All came from Amazon and U.S based country.

 

> If you have port forwarding rules, you probably should set up authentication for your services.

I do not have port forwarding on this network.

  0  
  0  
#5
Options
Re:"detected WAN Ping attack from xxx.xxx.xxx.xxx"-Solution
2023-08-08 05:41:42 - last edited 2023-08-11 07:45:11

Hi @YuukiA

WAN IN ACL, use network group for directions. SRC is the U.S IP range and DST your WAN IP. Will it block that? No more logs?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#6
Options
Re:"detected WAN Ping attack from xxx.xxx.xxx.xxx"
2023-08-08 10:32:43

  @Clive_A 

 

> WAN IN ACL, use network group for directions. SRC is the U.S IP range and DST your WAN IP. Will it block that? No more logs?

 

 

So in Network Security > ACL > Gateway ACL

 

Here are what I have selected.

 

Testing IP here is one of the WAN ping attacked - `52.39.209.232`

Source | IP-Group | `52.39.209.232`

Destination | IP-Group | Not really what you mean by WAN IP (my public IP) or Gateway Management Page...

I have over 25 unique IP address attacks so I know to put those IP in the Source.

 

 

 

Please check if this is the proper config for this.

  1  
  1  
#7
Options
Re:"detected WAN Ping attack from xxx.xxx.xxx.xxx"
2023-08-09 03:48:05

Hi @YuukiA 

Yup. So, your WAN IP is a public one. So you can create a group for it and set it to DST. And then you can monitor in the next few days to see what happens.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#8
Options
Re:"detected WAN Ping attack from xxx.xxx.xxx.xxx"
2023-08-11 07:45:03

  @Clive_A 

 

Update: I can't tell if they stopped the attacks or my ISP moved the public IP so they attacked another WAN IP, instead of just my current WAN IP.

 

I couldn't tell if the Gateway ACL is working as intended. Thanks for the help.

  1  
  1  
#9
Options
Re:"detected WAN Ping attack from xxx.xxx.xxx.xxx"
2023-08-19 06:39:22 - last edited 2023-08-19 06:42:03

I am curious why the feature "Stop ping from WAN" (in Network Security>Attack Defense>Packet Anomaly Defense) didn't work or wasn't recommended.  Also, what would you use for that ACL rule DST if the WAN IP isn't static?

  0  
  0  
#10
Options
Re:"detected WAN Ping attack from xxx.xxx.xxx.xxx"
2023-08-22 02:54:11

  @terapico 

terapico wrote

I am curious why the feature "Stop ping from WAN" (in Network Security>Attack Defense>Packet Anomaly Defense) didn't work or wasn't recommended.  Also, what would you use for that ACL rule DST if the WAN IP isn't static?

block ping from wan is blocking all ping with/without any load. sometimes, you wanna test if your router is online or available on the internet, so you don't want it to be un-ping-able.

if you enable block large ping, it blocks ping with large loads. 

 

https://community.tp-link.com/en/business/forum/topic/618780

 

does you isp often change your ip address to a different subnet? yo can probably set it up your isp subnet as dst. 

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  1  
  1  
#11
Options