TCP SYN attack, ACL, Cloudflare

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

TCP SYN attack, ACL, Cloudflare

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
TCP SYN attack, ACL, Cloudflare
TCP SYN attack, ACL, Cloudflare
2024-01-04 22:17:36
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.2.3

Hello,

 

so I have been getting these TCP SYN log messages for over a year now.  I have read some guides on using wireshark but couldn't figure it out.

 

https://community.tp-link.com/en/business/kb/detail/412708

Not sure what it's explaining in step 5) Test verification:.  I assume it's wireshark he's using here, but it doesn't say, but either the guide assumes you already know how to use wireshark or it's incomplete.  And what is meant by PC (controller) just a PC with wireshark? Anyway I don't have an eithernet device other than a bunch of SBC's so Im not messing around trying to install wireshark in docker. and the pictures from what I can see only show local DHCP addresses.  Anyway I gave up and just decided to block all incoming from the WAN.  

 

 

ER605v2 Detected TCP SYN packets attack and dropped 281 packets.
Jan 04, 2024 09:54:05   pm
 
ER605v2 Detected TCP SYN packets attack and dropped 282 packets.
Jan 04, 2024 09:44:03  pm
 
 
ER605v2 Detected TCP SYN packets attack and dropped 247 packets.
Jan 04, 2024 09:33:54  pm
 
 
ER605v2 Detected TCP SYN packets attack and dropped 276 packets.
Jan 04, 2024 09:23:52   pm
 
 

 

 

So I added 2 ACL rules.

 

screenshot of ACL rules

 

Rule 1 I only permitted the source from cloudflare and destination to all IP

Rule 2 I denied all locations with a location group with all countries added.

 

My cloudflare self hosted site is working fine,  but still getting the TCP SYN attacks every 10 mins.  and in the firewall rules I have the following

 

firewall rules

 

Maybe I made a mistake in my ACL logic, but the main thing that bothers me is that why are the IP addresses not automatically logged for the TCP SYN attacks?

 

I have WAF settings at cloudflare that only allow 2 counties to visit via the domain URL, so it's very puzzling to me.  I spent almost 400 euros on the omada setup and basic things like logging an IP are missing.  If I could see the IP then I could have solved this over a year ago, maybe it's coming from cloudflare and the router is misreporting it, but I don't want to take out a PHD in wireshark to find out, I paid 400 euros these features should be obligatory at this price range.

 

Sorry for the rant, but if I could go back 2 years knowing what I know now, I don't think I would consider the same purchases, and would not have gone down the omada path. 

 

  0      
  0      
#1
Options
2 Reply
Re:TCP SYN attack, ACL, Cloudflare
2024-01-05 12:49:00

SYN packes attacks are still coming in every 10 mins, DHCP lease is still renewing every 5 mins. 

 

So After testing this for the last 24 hours, checking the WAF on cloudflare and checking every IP address there, discounting them as IP addresses that are authorized, then only one of 4 conclusions can be drawn.

 

1.  I have not correctly added the ACL rules to block all incoming WAN connections.

 

2.  The Router / ACL does not work as intended and does not block incoming connections.

 

3. The router does not work as intended and reports normal activity as TCP SYN attacks.  

 

4. An internal device causeing this.

 

 

So I decided to close all connections with WAN in ACL, close cloudflare WAF to all connections. and the SYN TCP attacks still happening, so it looks like an internal device in my network.  So I can ban or power them off one by one and test from here.   If i end up testing all devices and still getting TCP SYN then it's either my bad configuring or TP-Link need to look into why me and others are getting this issue. 

 

 

  0  
  0  
#2
Options
Re:TCP SYN attack, ACL, Cloudflare
2024-04-29 15:46:31

  @j1979 

 

 

turned out to be

PersistentKeepalive = 25

 

in my wireguard conf files.  Now sorted after removing that line.

  0  
  0  
#3
Options