TCP SYN attack, ACL, Cloudflare
Hello,
so I have been getting these TCP SYN log messages for over a year now. I have read some guides on using wireshark but couldn't figure it out.
https://community.tp-link.com/en/business/kb/detail/412708
Not sure what it's explaining in step 5) Test verification:. I assume it's wireshark he's using here, but it doesn't say, but either the guide assumes you already know how to use wireshark or it's incomplete. And what is meant by PC (controller) just a PC with wireshark? Anyway I don't have an eithernet device other than a bunch of SBC's so Im not messing around trying to install wireshark in docker. and the pictures from what I can see only show local DHCP addresses. Anyway I gave up and just decided to block all incoming from the WAN.
ER605v2 Detected TCP SYN packets attack and dropped 281 packets.
|
Jan 04, 2024 09:54:05
pm
|
|
|
ER605v2 Detected TCP SYN packets attack and dropped 282 packets.
|
Jan 04, 2024 09:44:03 pm |
|
|
ER605v2 Detected TCP SYN packets attack and dropped 247 packets.
|
Jan 04, 2024 09:33:54 pm |
|
|
ER605v2 Detected TCP SYN packets attack and dropped 276 packets. |
Jan 04, 2024 09:23:52
pm
|
|
|
So I added 2 ACL rules.
Rule 1 I only permitted the source from cloudflare and destination to all IP
Rule 2 I denied all locations with a location group with all countries added.
My cloudflare self hosted site is working fine, but still getting the TCP SYN attacks every 10 mins. and in the firewall rules I have the following
Maybe I made a mistake in my ACL logic, but the main thing that bothers me is that why are the IP addresses not automatically logged for the TCP SYN attacks?
I have WAF settings at cloudflare that only allow 2 counties to visit via the domain URL, so it's very puzzling to me. I spent almost 400 euros on the omada setup and basic things like logging an IP are missing. If I could see the IP then I could have solved this over a year ago, maybe it's coming from cloudflare and the router is misreporting it, but I don't want to take out a PHD in wireshark to find out, I paid 400 euros these features should be obligatory at this price range.
Sorry for the rant, but if I could go back 2 years knowing what I know now, I don't think I would consider the same purchases, and would not have gone down the omada path.