Recent TCP no-Flag attacks

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Recent TCP no-Flag attacks

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
17 Reply
Re:Recent TCP no-Flag attacks
2023-05-30 20:43:44

  @sl9999 

 

According to the email I received from support - and as was mentioned earlier in this thread, the router does not currently have the capability to indicate the IP source (internal or external).  They, therefore, suggest that we use Wireshark to capture packets to determine the source. To do this, we need to connect a PC to the router and set port mirroring on the router to capture packets.  For details, on how to do this we can refer to https://www.tp-link.com/en/support/faq/3235/.   They also said that "the mirrored port selects the wan port and the port connected to the router and switch at the same time".  That's unclear to me, but I'm sure they'll tell me about that when they respond.

 

I have been playing with Wireshark, but I'm not very knowledgeable at this point.  So, I responded that, according to the linked instructions, it appeared that I needed to do the above with the TL-R605's built-in UI (and not the OC200's).  If I read that correctly, I'd have to make the OC200 'forget' the router first.  I may have read the instructions incorrectly, but I'm sure they'll let me know about that too.

 

 

(1) TL-R605 v1.0 Router/Gateway (1) OC200 v1.0 Controller (1) TL-SG2210P v3.20 POE Switch (2) TL-SG2218 v1.0 POE Switch (3) EAP245 v3.0 Access Point (1) EAP225-Outdoor v1.0 Access Point
  0  
  0  
#12
Options
Re:Recent TCP no-Flag attacks
2023-05-30 20:55:28

  @lflorack 

Thanks for the detailed answer.

Very complicated indeed. 

I'd rather don't want to mess with my working configuration (forget OC200, R605 built-in UI,...)

Some people say not to worry because the firewall does the job but i'm not comfortable with that approach.

It's also rather strange that the same problem occurs at the same moment with different people.

  0  
  0  
#13
Options
Re:Recent TCP no-Flag attacks
2023-05-31 02:18:24

  @sl9999 

A quick clarification update:  Support responded and it turns out that you do not need to have the OC200 forget the router.  The port mirroring needed can be done through the OC200 to the router.  However, the PC or laptop with Wireshark loaded on it must be connected directly to an open LAN port on the router.  

 

With that in mind, I'll read the rest of the instructions at https://www.tp-link.com/en/support/faq/3235/ tomorrow.

(1) TL-R605 v1.0 Router/Gateway (1) OC200 v1.0 Controller (1) TL-SG2210P v3.20 POE Switch (2) TL-SG2218 v1.0 POE Switch (3) EAP245 v3.0 Access Point (1) EAP225-Outdoor v1.0 Access Point
  0  
  0  
#14
Options
Re:Recent TCP no-Flag attacks
2023-05-31 02:23:23

Hi @lflorack

 

That's great! Please feel free to reply to the support email for further follow-up.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#15
Options
Re:Recent TCP no-Flag attacks-Solution
2023-06-02 10:08:00 - last edited 2023-06-02 10:08:04

Hi All,

 

Please follow the post below for the available solution:

Solution to ER605 V1 1.3.0 Firmware Got Many Logs of "TCP no-Flag attack" Issue

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  0  
  0  
#17
Options
Re:Recent TCP no-Flag attacks
2023-06-02 12:15:38 - last edited 2023-06-03 14:30:18

  @Hank21 

 

Although it's great that the support engineers found that the issue reported here and elsewhere, is that the log recognition mechanism was changed in version 1.3.0 - and that it will be corrected in the next version of the ER605 firmware, I don't think that temporarily disabling the "Block TCP Scan (Stealth FIN/Xmas/Null)" defense option is a sound resolution.  As I understand it, turning this option off defeats the actual defense mechanism and does not just turn off the log warnings.  It would then permit any real attacks of this type to be allowed into my system - not at all an optimal solution.  So, I will leave my settings as they are and try to ignore the excessive and incorrect warnings until the firmware is fixed.  If a beta or pre-release firmware version that addresses this issue safely and correctly is released prior to the next official firmware version, please let me know so that I can more safely address this issue.

(1) TL-R605 v1.0 Router/Gateway (1) OC200 v1.0 Controller (1) TL-SG2210P v3.20 POE Switch (2) TL-SG2218 v1.0 POE Switch (3) EAP245 v3.0 Access Point (1) EAP225-Outdoor v1.0 Access Point
  1  
  1  
#18
Options
Re:Recent TCP no-Flag attacks
2023-06-05 02:14:35

Hi @lflorack,

 

Thanks for your valuable feedback.

You may subscribe to this thread, it will be updated once the Beta/Official firmware of the router is released.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#19
Options
Related Articles