TCP SYN packets attack
I understand this topic has been brought up multiple times re: the "TCP SYN packets attack" reoccurring at 10 minute intervals. I also understand that firmware updates have improved the ability of the device to recognize and report such events. The purpose of my post is to provide information from my attempts to sort out the specific cause of this reporting in my environment.
We have an OC200, ER7206 v1.0, TL-SG2008P v1.0, SG3428 v2.3, EAP115(US) v4.0 and two EAP620 HD(US) v3.0. All firmware current except the EAP620s which are on v1.2.3 (but soon to be on 1.2.5).
We installed Wireshark on a local PC and configured a LAN port on the ER7206 for port mirroring.
The IP address of our OC200 is 10.X.X.80 and the IP address of the Wireshark PC is 10.X.X.81.
Wireshark was setup to filter for "tcp:flags.reset==1".
Screenshots from January 4, 2024, beginning 10:28AM local time, and immediately after clearing all alerts and starting a new capture in Wireshark.
>>Controller Logs - Alerts
>> Wireshark capture
Screenshots from January 4, 2024, at 10:54AM local time.
>>Controller Logs - Alerts
>> Wireshark capture
Assuming I have Wireshark setup correctly for filtering (will readily admit I use it very little), I'm surprised the only packets I see captured are between the OC200 and the Wireshark PC. It also seems to me there is more than a strong correlation between the time of attack detection as reported in the OC200 log as compared to the captured packets at the Wireshark PC.
I turned off the "Block TCP Scan with RST" as suggested in this post: https://community.tp-link.com/en/business/forum/topic/637224?page=1.
And logging of the "attack" stopped while the RST captures continued in Wireshark.
I would certainly welcome any input or feedback.
Thanks!
Carl
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @clangren
Thanks for posting in our business forum.
Solution - TCP SYN Packet Attack After the Firmware Upgrade
I don't know if you port mirroring for this. So, I think it is not the same thing that was talked about in the TCP attack.
You are capturing the packets between the OC200 and your PC, what would it relate to the router under attack?
This RST is not your PC checking the router ingress or egress, so that does not make a question because it is wrong in the first place.
RST is also common and when you do a 443 access. It continued and is normal to me.
- Copy Link
- Report Inappropriate Content
Thank you for your response and input, much appreciated.
I am focused on trying to identify what was triggering the logged entries for TCP-SYN "attack".
Based on reading several other posts on the forum (https://community.tp-link.com/en/business/forum/topic/637224; https://community.tp-link.com/en/business/forum/topic/636216; and this new one https://community.tp-link.com/en/business/forum/topic/649386 ) it seems logical to conclude that trapping for RSTs could lead directly to the activity which is triggering the logged "attack".
From your response:
>> I don't know if you port mirroring for this.
>>>> I did have port mirroring configured. The OC200 (on MGMT vlan) was connected directly to the ER7206 on port LAN2 (port 6) with the PVID of my MGMT vlan. The port selected for mirroring was the WAN (port 2) and Mirror Mode was set to Ingress and Egress. I think this propagates a mirror of all WAN packets onto the MGMT vlan. The Wireshark report is from the MGMT vlan and filtered for "tcp:flags.reset==1". If any of those settings are incorrect I would welcome your input for correcting the settings.
>> So, I think it is not the same thing that was talked about in the TCP attack.
>>>> I believe the settings as noted above should capture all RST responses to any incoming packets which were originating from either 1)the WAN or 2)the MGMT vlan.
>> You are capturing the packets between the OC200 and your PC, what would it relate to the router under attack?
>>>> I believe you are saying packets between the OC200 and my PC should not relate to generating a reported log event for the router being under attack and I certainly agree with that assertion.
>>This RST is not your PC checking the router ingress or egress, so that does not make a question because it is wrong in the first place.
>>>> The only RST which were seen by Wireshark were not originating from the WAN. However, if my setup was correct, Wireshark was seeing all RST responses to the WAN or MGMT vlan. The RST seen by Wireshark were between the OC200 and the Wireshark PC, so if those local RST were the only RST which were occurring then they shound not trigger a log entry. As expected, the log entries which were recurring every 10 minutes did stop when RST in Attack Defense was disabled. However, if the only RST which were occurring were internal then turning off reporting for this event just hides the error in reporting.
In any event, it seems better from a security perspective to have the RST response off.
What might be more beneficial from a security perspecitve is to be able to log when the ER7206 would have sent an RST in response to a WAN packet but did not because RST response was diabled in Attack Defense.
Again, thanks for your time and input.
Carl
- Copy Link
- Report Inappropriate Content
Hi @clangren
Thanks for posting in our business forum.
clangren wrote
Thank you for your response and input, much appreciated.
I am focused on trying to identify what was triggering the logged entries for TCP-SYN "attack".
Based on reading several other posts on the forum (https://community.tp-link.com/en/business/forum/topic/637224; https://community.tp-link.com/en/business/forum/topic/636216; and this new one https://community.tp-link.com/en/business/forum/topic/649386 ) it seems logical to conclude that trapping for RSTs could lead directly to the activity which is triggering the logged "attack".
From your response:
>> I don't know if you port mirroring for this.
>>>> I did have port mirroring configured. The OC200 (on MGMT vlan) was connected directly to the ER7206 on port LAN2 (port 6) with the PVID of my MGMT vlan. The port selected for mirroring was the WAN (port 2) and Mirror Mode was set to Ingress and Egress. I think this propagates a mirror of all WAN packets onto the MGMT vlan. The Wireshark report is from the MGMT vlan and filtered for "tcp:flags.reset==1". If any of those settings are incorrect I would welcome your input for correcting the settings.
>> So, I think it is not the same thing that was talked about in the TCP attack.
>>>> I believe the settings as noted above should capture all RST responses to any incoming packets which were originating from either 1)the WAN or 2)the MGMT vlan.
>> You are capturing the packets between the OC200 and your PC, what would it relate to the router under attack?
>>>> I believe you are saying packets between the OC200 and my PC should not relate to generating a reported log event for the router being under attack and I certainly agree with that assertion.
>>This RST is not your PC checking the router ingress or egress, so that does not make a question because it is wrong in the first place.
>>>> The only RST which were seen by Wireshark were not originating from the WAN. However, if my setup was correct, Wireshark was seeing all RST responses to the WAN or MGMT vlan. The RST seen by Wireshark were between the OC200 and the Wireshark PC, so if those local RST were the only RST which were occurring then they shound not trigger a log entry. As expected, the log entries which were recurring every 10 minutes did stop when RST in Attack Defense was disabled. However, if the only RST which were occurring were internal then turning off reporting for this event just hides the error in reporting.
In any event, it seems better from a security perspective to have the RST response off.
What might be more beneficial from a security perspecitve is to be able to log when the ER7206 would have sent an RST in response to a WAN packet but did not because RST response was diabled in Attack Defense.
Again, thanks for your time and input.
Carl
I checked this with the dev and that RST response is off by default. So, it seems that people did not read what it means and just blindly enabled all the defense parameters.
About your suggestion for that log, you might wanna take it to the solution post I replied to earlier and see how others think this.
Most users are not that sophisticated to read and understand what logs mean. In recent firmware upgrades, we have added many features and many are very confused about them. Especially the log system which has been added with some more detailed records.
- Copy Link
- Report Inappropriate Content
Thanks for your reply.
The improvements in logging are certainly appreciated and improve our ability to understand what's going on in our networks.
There is still an open point for which I would like a response. It is highlighted in red below.
>>This RST is not your PC checking the router ingress or egress, so that does not make a question because it is wrong in the first place.
>>>> The only RST which were seen by Wireshark were not originating from the WAN. However, if my setup was correct, Wireshark was seeing all RST responses to the WAN or MGMT vlan. The RST seen by Wireshark were between the OC200 and the Wireshark PC, so if those local RST were the only RST which were occurring then they shound not trigger a log entry. As expected, the log entries which were recurring every 10 minutes did stop when RST in Attack Defense was disabled. However, if the only RST which were occurring were internal then turning off reporting for this event just hides the error in reporting.
I concur with this quote from your previous response.
RST is also common and when you do a 443 access. It continued and is normal to me.
Therefore, to reduce it to a question: Given RST is common during 443 access, why are internal RST triggering a log entry in the context of security?
Perhaps I am not thinking correctly, in the context of security our primary concern is when a RST is triggered from a WAN packet only?
Thanks,
Carl
- Copy Link
- Report Inappropriate Content
I looked at your posts and could not identify the specific reference.
Would you please let me know the post to which you are referring below?
About your suggestion for that log, you might wanna take it to the solution post I replied to earlier and see how others think this.
Thanks,
Carl
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 466
Replies: 5
Voters 0
No one has voted for it yet.