Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
2023-10-31 07:38:11 - last edited 2024-01-04 09:25:44
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.2.0 Build 20230629 Rel.64012
I have a system consisting of an ER605 router, a TL-SG2008 switch and an EAP610 AP, all with an omada controller software version 5.12.7, and every 10 minutes I receive a notification: "Router Omada Detected TCP SYN packets attack and dropped xxx packages." How can I solve this problem?
Omada Hardware Controller OC200 1.0: FW: 1.31.3 Router : ER706W v1.0 : FW : 1.1.2 Switch : TL-SG2008 V4_4.20.0 and TL-SG108E V5_20191021 AP: EAP610 V3_1.4.3 and TL-WA801N V6_200116
  3      
  3      
#1
Options
1 Accepted Solution
Re:Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7-Solution
2024-01-04 08:30:33 - last edited 2024-01-04 09:25:44

To anyone who's looking at this,

To fix this issue, set the Block TCP scan with RST disabled.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  5  
  5  
#15
Options
17 Reply
Re:Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
2023-10-31 08:46:07 - last edited 2024-01-04 09:24:54

Hi @Sadiqus 

Thanks for posting in our business forum.

We got something to prepare before we dig into this.

So you can take a look at this thread to learn about the ACL. https://community.tp-link.com/en/business/forum/topic/617732

If possible, I'd recommend you upgrade your firmware to the V2.1.5 beta, you can find it in the pinned thread.

 

This looks like an attack from the WAN. So, I got a question is your Internet affected?

If your Internet is affected, we will need to find the IP address of the attacker and block it. So, that'll use the first link.

Then try the latest firmware and see if the log can show the IP address. If it cannot display the attacker's IP, we gotta use Wireshark to find it out and add it to the ACL block.

How to capture packets using Wireshark on SMB router or switch

How to Use Port Mirror to Capture Packets in the Controller

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
2023-10-31 11:43:37 - last edited 2023-10-31 11:50:26

  hello @Clive_A , fortunately it does not affect my internet connectivity, unfortunately I cannot upgrade to the beta version due to the fact that the controller firmware is 5.12.7, and the beta version is for the controller with firmware 5.11 ... I noticed that there is the version this: ER605 V2_2.2.2 Official Firmware (Released on Oct 18th, 2023) and I have 2.2.0.

 

Is it safe to try to put the beta firmware on the 5.12.7 controller?

 

My controller is software, in a docker container, I hope this is not a problem.

 

 

Below are some print screens of my internet speed, apparently it is not affected in any way.

 

Omada Hardware Controller OC200 1.0: FW: 1.31.3 Router : ER706W v1.0 : FW : 1.1.2 Switch : TL-SG2008 V4_4.20.0 and TL-SG108E V5_20191021 AP: EAP610 V3_1.4.3 and TL-WA801N V6_200116
  0  
  0  
#3
Options
Re:Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
2023-11-01 01:28:13 - last edited 2024-01-04 09:24:58

Hi @Sadiqus 

Thanks for posting in our business forum.

Sadiqus wrote

  hello @Clive_A , fortunately it does not affect my internet connectivity, unfortunately I cannot upgrade to the beta version due to the fact that the controller firmware is 5.12.7, and the beta version is for the controller with firmware 5.11 ... I noticed that there is the version this: ER605 V2_2.2.2 Official Firmware (Released on Oct 18th, 2023) and I have 2.2.0.

 

Is it safe to try to put the beta firmware on the 5.12.7 controller?

 

My controller is software, in a docker container, I hope this is not a problem.

 

 

Below are some print screens of my internet speed, apparently it is not affected in any way.

 

If possible, I still recommend you take a look at your network to find out what the device is. But it's your network and it's your choice.

 

The firmware does not have any negative impact if you use it for lower adaptation.

The attack should be sent to the router. The router blocks and reports it. Usually, it is from the WAN. This log will continue to show with the current setting or you can disable the notification in the log settings.

 

Uncheck all of them. You should be free from the attack log.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options
Re:Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
2023-11-01 07:58:30

  @Clive_A 

 

I looked in my network, and there are no problems, I tend to think that the attack is still from outside, but it doesn't show me that IP so I can block it. 
I have 2 internet providers, I have to see which of them the attack is coming from. 
The option with Gateway Detected Attack unchecked works perfectly.
Omada Hardware Controller OC200 1.0: FW: 1.31.3 Router : ER706W v1.0 : FW : 1.1.2 Switch : TL-SG2008 V4_4.20.0 and TL-SG108E V5_20191021 AP: EAP610 V3_1.4.3 and TL-WA801N V6_200116
  0  
  0  
#5
Options
Re:Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
2023-11-01 08:26:02

  @Sadiqus 

 

routers are attacked all the time, to limit it you can create a location group and include all countries, create a router acl with location group and WAN IN
if you need access from certain countries, you can exclude these from the group.

 

 

  0  
  0  
#6
Options
Re:Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
2023-11-01 08:46:44

  @MR.S

I can't do that, behind the router I have a few servers that need to be accessed from anywhere. Some websites, web pages, etc.  

Omada Hardware Controller OC200 1.0: FW: 1.31.3 Router : ER706W v1.0 : FW : 1.1.2 Switch : TL-SG2008 V4_4.20.0 and TL-SG108E V5_20191021 AP: EAP610 V3_1.4.3 and TL-WA801N V6_200116
  0  
  0  
#7
Options
Re:Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
2023-11-02 01:08:25

Hi @Sadiqus 

Thanks for posting in our business forum.

Sadiqus wrote

  @MR.S

I can't do that, behind the router I have a few servers that need to be accessed from anywhere. Some websites, web pages, etc.  

This is the downside if you host websites or other stuff. You also face the risk of being attacked. Usually, the home users would not experience such an issue. If they expose the port, that might happen because open ports can be exploited if you do not set proper security for that.

 

I would do the following to find it out:

1. Unplug one of the WANs to identify which ISP is under attack.

2. Port Mirroring and Wireshark to find out the constant access of the device.

3. Set up the ACL or the Geo block by identifying the IP belonging.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#8
Options
Re:Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
2023-11-02 07:22:59

  @Clive_A 

 

To make it easier to understand, my configuration is as follows: I have 2 internet providers, and behind the router I have 5 vlans :

1. Administration vlan,

2. IoT Vlan,

3. Home vlan,

4. Guest Home vlan

5. free wifi vlan as guest.

 

So in the admin network I have 2 physical servers that have docker containers. To be more precise, there are 18 sites on one physical server and 6 sites on the other physical server, all in docker containers, of which only one site goes to the Internet on my real IP through an nginx reverse proxy, the rest of 23 sites are made through proxies through cloudflare. I specify the fact that I own an FQDN domain. 

The only ports I forward on the router are 80 and 443 + 2 other ports for VPN connection through Wireguard (each port for a different ISP).

The main ISP is a 1 GBps up/down fiber connection, the other ISP is a VDSL of 70 Mbps down and 23 Mbps UP, which is only for backup and through which the IoT vlan and the FreeWifi vlan come out to the Internet.

 

If you say that it wouldn't be a problem to downgrade to the V2.1.5 beta version, on my V5.12.7 controller, I would also try this in the hope that maybe it will show me the IP/IPs that are attacking me as to be able to block them.

 

Thank you very much for your help

Omada Hardware Controller OC200 1.0: FW: 1.31.3 Router : ER706W v1.0 : FW : 1.1.2 Switch : TL-SG2008 V4_4.20.0 and TL-SG108E V5_20191021 AP: EAP610 V3_1.4.3 and TL-WA801N V6_200116
  0  
  0  
#9
Options
Re:Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
2023-12-16 17:29:43

  @Sadiqus 

 

I am having the same issue. I don't believe it's a hack. It's every 10 minutes getting these alerts. I'm not being notified as i turned off the Gateway Detected Attack alert. I also have dual wan, but one of my wan is failover only. Started getting these alerts after upgrading to firmware 2.2.2 on er605 v2. 

  3  
  3  
#10
Options
Re:Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
2023-12-16 19:59:36

 In the meantime I upgraded to V2.2.2, but the problem is still. I also shut down one of the physical servers. 

Omada Hardware Controller OC200 1.0: FW: 1.31.3 Router : ER706W v1.0 : FW : 1.1.2 Switch : TL-SG2008 V4_4.20.0 and TL-SG108E V5_20191021 AP: EAP610 V3_1.4.3 and TL-WA801N V6_200116
  0  
  0  
#11
Options