This Article Applies to:

 

All routers with firewall settings.

 

Background Knowledge:

Sometimes, on your Omada router or controller, you would see a warning message about the TCP (no)-Flag attack or other types of attack. To understand the warnings in your log, you should first understand how TCP/UDP and common attack works. And based on the interaction of the TCP and UDP, you'll also learn some knowledge about the TCP and UDP. Then, we introduce you to the settings we have for you to protect your network free from attack.

 

How does TCP work?

 

• TCP three-way handshake to establish a connection:

1. Step 1 (Client Request): The client sends a TCP SYN packet to the server, indicating it wants to establish a connection.

2. Step 2 (Server Response): The server receives the SYN packet, and responds with a TCP SYN-ACK packet, indicating acceptance of the connection request.

3. Step 3 (Client Acknowledgment): The client acknowledges the server's response by sending an ACK packet, completing the handshake, and establishing the connection.

 

• TCP four-way handshake to disconnect:

1. Step 1 (Client Initiates): The client sends a TCP FIN packet to start closing the connection.

2. Step 2 (Server Acknowledges): The server acknowledges the client's request with an ACK packet.

3. Step 3 (Server Initiates): Once the server is ready to close, it sends its own TCP FIN packet.

4. Step 4 (Client Acknowledges): The client acknowledges the server's request with an ACK packet, completing the disconnect process.

 

From a security perspective, how can we use these interaction processes to attack TCP when we imagine ourselves as attackers? Possible attack methods include the following categories:

 

1. Flood attacks, such as sending massive SYN, ACK, FIN, or RST packets to the target, occupy the system resources of the target and make it unable to provide normal services. Flood attack is not limited to TCP, UDP, and ICMP can also be used for network attack.

 

2. Connection depletion attacks, such as no longer sending packets to maintain the connection after completing three handshakes with the target, or immediately sending FIN or RST packets, and quickly initiating new connections after disconnecting, consume TCP connection resources.

(Example below is also a typical stealth scan)

 

3. Abnormal packet type attacks, such as setting all flag bits in TCP packets to 1 or 0, and setting both SYN and FIN flag bits to 1, may cause the target system to crash if these abnormal packets do not comply with the TCP protocol specifications.

As this is kind of hard to capture in the test environment, and it usually appears on the WAN. What I can share is that you can use the Wireshark filter lines which help you analyze your network:

tcp.flags.syn == 1 and tcp.flags.fin == 1
Or

tcp.flags.syn == 1 and tcp.flags.rst == 1 or both equal to 0. The filter is not limited to this.

You want to particularly pay attention to this marked area on your Wireshark.

 

How does UDP work?

 

When talking about SYN Flood, we know that the TCP protocol is a connection-oriented transport protocol. But the UDP protocol is different from the TCP protocol, UDP is a connectionless protocol. Before using the UDP protocol to transmit data, no connection is established between the client and the server. If data is lost during the transmission from the client to the server, the protocol itself cannot make any detection or prompt. Therefore, people usually refer to the UDP protocol as an unreliable transmission protocol.

It is the widespread application of the UDP protocol that provides a platform for attackers to launch UDP Flood attacks. UDP Flood is a bandwidth attack. Attackers send a large number of UDP packets to the target server through the botnet. Such UDP packets are usually large packets and the rate is very fast. They usually cause the following hazards:

1. Consumes network bandwidth resources and causes link congestion in severe cases.
2. A large number of UDP Floods with variable sources and ports will cause performance degradation and even exhaustion of sessions on network devices that rely on session forwarding, resulting in network paralysis.

 

Diagnostics and Advice:

 

 

1. Use Wireshark and port mirroring to enable you to have further insight into your network security. 

 

Search and download Wireshark from its official website. Follow the instruction on installation. After that, you may follow the guide on How to capture packets using Wireshark on SMB router or switch.

Mirror your WAN port(Mirrored) to your computer's port(Mirroring) so that your computer can capture the traffic flowing through the WAN.

Then it is highly recommended you analyze your network traffic with filters and the source IP address showed up in your router's log.

 

It is worth noting that seeing a list of logs with some attacks recorded does not mean your network is under attack.

 

2. Enable Attack Defense settings - Flood Defense and Packet Anomaly Defense.

 

You can enable them to protect your network from attacks.  The router is capable of blocking some types of abnormal connections and attacks.

 

Flood Defense

• Multi-Connections TCP SYN Flood: With this feature enabled, the gateway limits the rate of receiving TCP SYN packets from all the clients to the specified rate. A TCP SYN flood attack occurs when the attacker sends the target system with a succession of SYN (synchronize) requests. When the system responds, the attacker does not complete the connections, thus leaving the connection half-open and flooding the system with SYN messages. No legitimate connections can then be made.
• Multi-Connections UDP Flood: With this feature enabled, the gateway limits the rate of receiving UDP packets from all the clients to the specified rate. A UDP flood attack occurs when the attacker sends a large number of UDP packets to a target host in a short time, the target host is busy with these UDP packets and cannot process normal services.
• Multi-Connections ICMP Flood: With this feature enabled, the gateway limits the rate of receiving ICMP packets from all the clients to the specified rate. An ICMP flood occurs when an attacker sends many ICMP Echo messages to the target device, and the target device is busy with these Echo messages and cannot process other data packets. Therefore, normal services are affected.
• Stationary Source TCP SYN Flood: With this feature enabled, the gateway limits the rate of receiving TCP SYN packets from a single client to the specified rate. A TCP SYN flood attack occurs when the attacker sends the target system with a succession of SYN (synchronize) requests. When the system responds, the attacker does not complete the connections, thus leaving the connection half-open and flooding the system with SYN messages. No legitimate connections can then be made.
• Stationary Source UDP Flood: With this feature enabled, the gateway limits the rate of receiving UDP packets from a single client to the specified rate. A UDP flood attack occurs when the attacker sends a large number of UDP packets to a target host in a short time, the target host is busy with these UDP packets and cannot process normal services.
• Stationary Source ICMP Flood: With this feature enabled, the gateway limits the rate of receiving ICMP packets from a single client to the specified rate. An ICMP flood occurs when an attacker sends many ICMP Echo messages to the target device, and the target device is busy with these Echo messages and cannot process other data packets. Therefore, normal services are affected.

Packet Anomaly Defense

• Block Fragment Traffic: With this option enabled, the fragmented packets without the first part of the packet will be discarded.
• Block TCP Scan (Stealth FIN/Xmas/Null): With this option enabled, the gateway will block the anomalous packets in the following attack scenarios:
  • Stealth FIN Scan:The attacker sends the illegal packet with its FIN field set to 1. The FIN field is used to request disconnection.
  • Xmas Scan: The attacker sends the illegal packet with its TCP index, FIN, URG and PSH field set to 1.
  • Null Scan: The attacker sends the illegal packet with its TCP index and all the control fields set to 0. During the TCP connection and data transmission, the packets with all control fields set to 0 are considered illegal.
• Block TCP Scan with RST: When enabled, the gateway will not respond to RST packets.
• Block Ping of Death: With this option enabled, the gateway will block abnormal ping packets which are larger than 65535 bytes to avoid system crash.
• Block Large Ping: With this option enabled, the router will block the ping packets which are larger than 4000 bytes to protect the system from Large Ping attack.
• Block Ping from WAN: With this option enabled, the router will block the ICMP request from WAN.
• Block WinNuke Attack: With this option enabled, the router will block WinNuke attacks. WinNuke attack refers to a remote DoS (denial-of-service) attack that affects some Windows operating systems, such as the Windows 95. The attacker sends a string of OOB (Out of Band) data to the target computer.
• Block TCP Packets with SYN and FIN Bits Set: With this option enabled, the router will filter the TCP packets with both SYN Bit and FIN Bit set
• Block TCP Packets with FIN Bit but No ACK Bit Set: With this option enabled, the router will filter the TCP packets with FIN Bit set but without ACK Bit set.
• Block Packets with Specified Options: With this option enabled, the router will filter the packets with specified IP options, you can choose the following options based on needs: Security Option, Loose Source Route Option, Strict Source Route Option, Record Route Option, Stream Option, Timestamp Option, and No Operation Option.

 

3. Contact your ISP to change your IP address.

 

If your IP address is exposed and under serious attack, you may contact your ISP to change another IP address for you.

 

 

4. Seek help from a professional network security provider like CloudFlare.

 

Get help from security providers as they can hide your IP address and DDoS protection. Most will charge you a different amount of fee for the protection.

 

Q&A:

 

Q1: Why do I see this "Router/Gateway detected TCP no-Flag attack and dropped x packets" in my router or controller log? 

A1: The current log mechanism is that regardless of WAN or LAN interface, as long as there is a packet match with the packet abnormality, it'll trigger the defense and the router will block it. Yet, this does not affect your network security. If you find the IP addresses are from your LAN, you can rest assured as your network is safe. This should be a false alarm.

For this phenomenon, you should not worry about this if your network is unaffected. Unless you experience an unstable Internet connection and frequent disconnection from the Internet. At the same time, there are tons of logs of attacks recorded reflecting different types of attacks. This could mean that your network is under attack. We will talk about the steps to troubleshoot and address this as well later in this thread.

 

Q2: If I enable settings under Attack Defense, does it mean my network is free from any attacks?

A2: The Omada routers' built-in firewall and attack defense may not block all types of attacks. We built the most basic attack defense in order to protect your daily network use. And certain flood defense is parameter-based instead of AI-based or dynamic optimized. We cannot guarantee you professional network usage would not be affected at all. If your application scenario is critical, please consider seeking help from a professional network security provider for extra protection and features.

 

Q3: What can I do to make my Internet in full stealth when someone scans my ports?

A3: Stealth scan is common when someone starts an attack on your network. Especially, when you have a port forward your network, you want to remain fully stealth on the Internet.

For this kind of attack, refer to the TCP attack categories 2. Connection depletion attacks and understand how it works.

There are three ways to respond to a request in TCP/IP. Receive and Reject. But there is one special way - Drop. [External Link]The ShieldsUP! Forum FAQ

 

Receive:

For example, I got a SYN-ACK from the server which is a Receive.

 

And the client actively disconnects.

 

Reject:

 

Drop:

 

Usually, if you want to remain stealthy on the Internet, you should Drop the packet from the client. Instead of responding to the TCP with an RST to disconnect the attacker's port scan, the router directly Drops the request.

You have to make sure the Block TCP Scan with RST is disabled (you can find it at Firewall > Attack Defense) to get full stealth results.

[Solution] - Omada Gateway Cannot Get Full Stealth On The GRC ShieldsUp Test. [Case Closed]

 

Update Logs:

 

Jan 11th, 2024:

Update the format.

Add Recommended Threads.

 

Recommended Threads:

 

TCP SYN Packet Attack After the Firmware Upgrade

Omada Gateway Cannot Get Full Stealth On The GRC ShieldsUp Test. [Case Closed]

 

 

Feedback:

 

• If this was helpful, welcome to give us Kudos by clicking the upward triangle below.
• If there is anything unclear in this solution post, please feel free to comment below.

 

Thank you for your support and contribution to TP-Link Community!

 

------------------------------------------------------------------------------------------------

Have other off-topic issues to report? 

Welcome to > Start a New Thread < and elaborate on the issue for assistance.