Business Community > Routers > Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
< Routers

Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
17 Reply
Re:Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
2023-12-25 03:54:40

  @Sadiqus I have ER605 v2 and I just "upgraded" from 2.1.2 to 2.2.3 and now I have the same issue, Router Detected TCP SYN packets attack and dropped xxx packets every 10 minutes. 

At least it seems to have fixed the "ping attacks" from all of my Ring cameras. I step forward, 2 steps back. 

  0  
  0  
#12
Options
Re:Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
2023-12-31 04:53:50

  @Clive_A I've also had the same alerts since updating my router firmware. Router is ER7206 V1 firmware 1.4.0, and I'm not running any external servers but do have DynDNS.  I've turned off TCP SYN Flood attack detection, and have tried it on with the threshold at 1000, with no change in detection.  The alerts started exactly 10 minutes after the firmware update.  These are very unlikely real attacks, as it has been going for weeks.  Is there a way to release the WAN address with the ISP DHCP to force a new IP address?  This might help identify if there are actual attacks to the IP address.

  0  
  0  
#13
Options
Re:Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
2024-01-02 08:21:44

  @JoeSea

JoeSea wrote

  @Clive_A I've also had the same alerts since updating my router firmware. Router is ER7206 V1 firmware 1.4.0, and I'm not running any external servers but do have DynDNS.  I've turned off TCP SYN Flood attack detection, and have tried it on with the threshold at 1000, with no change in detection.  The alerts started exactly 10 minutes after the firmware update.  These are very unlikely real attacks, as it has been going for weeks.  Is there a way to release the WAN address with the ISP DHCP to force a new IP address?  This might help identify if there are actual attacks to the IP address.

So I accidentally closed the tab where I had typed a lot. I will not go in detail about this.

So you look for solutions, you got two. Either turn off the notification on the log but it still happens. Or you can Wireshark to find out. That are the two solutions for this thread.

 

I have explained this but no one seems to listen. This indeed might be a false alarm. No one cares to learn about the reason behind. I hope to see people improve their troubleshooting and network skills from the forum but they just ask and wait for the answers.

When we don't have this feature before, they ask for it because it looks pro. When we add it, they panic and freak out for answers. The system should record what happened for debug or troubleshooting and it is the reason why we add more and more features and minor details to enhance the system overall.

 

We renew the IP if it is time to renew. There is no option to guarantee a new IP yet. You might reboot so it requests a new IP address or you manually disconnect and connect from the web UI.

If the ISP still assigns the same IP to you, you should feel lucky. People ask for static IP even if they use dynamic IP as the connection type.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  0  
  0  
#14
Options
Re:Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7-Solution
2024-01-04 08:30:33 - last edited 2024-01-04 09:25:44

To anyone who's looking at this,

To fix this issue, set the Block TCP scan with RST disabled.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
Recommended Solution
  3  
  3  
#15
Options
Re:Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
2024-01-04 09:20:44

Clive_A wrote

To anyone who's looking at this,

To fix this issue, set the Block TCP scan with RST disabled.

 

Aparently it's a good solution.

Omada Software Controller : V 5.13.22 Router : ER605 V2.2.3 Switch : TL-SG2008 V4_4.20.0 and TL-SG108E V5_20191021 AP: EAP610 V3_1.4.3 and TL-WA801N V6_200116
  1  
  1  
#16
Options
Re:Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
2024-01-05 13:50:55 - last edited 2024-01-05 14:31:23

  @Sadiqus 

 

Appart from the SYN attacks keep coming. 

 

edit: no it works, still would like to now what caused it though .

 

  0  
  0  
#17
Options
Re:Router Omada Detected TCP SYN packets attack and dropped xxx packets every 10 minutes, 24/7
2024-01-05 17:08:41

  @j1979 

 

Aparently

What is TCP scan with RST? TCP Connect Scan

 

If the port is open, the target will send back a TCP SYN-ACK packet, indicating a willingness to establish a connection. The scanner then sends a TCP RST packet to close the connection. If the port is closed, the target will send back a TCP RST packet, indicating a refusal to connect.

 

What caused....?! I don't know, maybe in the fluture we get an answer! 

Omada Software Controller : V 5.13.22 Router : ER605 V2.2.3 Switch : TL-SG2008 V4_4.20.0 and TL-SG108E V5_20191021 AP: EAP610 V3_1.4.3 and TL-WA801N V6_200116
  0  
  0  
#18
Options
12

Tags

Controller Related
Related Articles
TCP Syn Packets Attack Detected in my Network, Should I be worried?
38 0
Detected TCP SYN packets attack and dropped - every 10 minutes
441 0
ER7212PC - "Router Detected TCP SYN packets attack and dropped xxx packets" every ten minutes.
2812 4
Detected TCP SYN-and-FIN packets attacked and dropped packets
199 0
Detected TCP SYN packets attack Since Firmware update to for ER8411 (1.2.0) and ER6505 (2.2.3)
475 1
TCP SYN packets attack
1126 0
About Us
Press
Copyright © TP-LINK CORPORATION PTE. LTD. All rights reserved.