|
Abnormal TCP flag attack detectedZyWALL USG20W This message appears in the log a few times a day, the device connected to the IP address is an Apple iPod Touch. ADP is disabled so I'm not sure which part of the ZyWALL is generating the message. Every time the message appears it corresponds to the iPod not being able to connect to the internet. Any one know how to prevent the ZyWALL blocking this type of traffic? A quick search on Google shows that a few other ZyWALL users have experiences the same problem without any real resolution. Thanks. |
|
|
I just observed the same message. In my case it was my VOIP ATA (OBi100) as a source and Comcast's DNS server as a destination. I have USG50. |
|
GorkOu812ic join:2001-10-06 Bountiful, UT
1 recommendation |
to whisper1
I checked my log to find I have the same error sparsely littered throughout. The last four all came from 74.206.235.92 (registered to logoworks2.webair.com - Webair Internet Development out of NY state) to my WAN IP address. A quick read of » www.symantec.com/connect ··· -packets leads me to believe this is not a setting you can change (at least via the web interface) in the router. My guess is that if a packet has an illegal combination of TCP flags the router always drops it, and for whatever reason logs it as well. But the one thing which makes me ponder at the validity of my theory is the question as to why an iPod would be sending out packets with illegal combinatons of TCP flags... I'll watch this thread and see if someone smarter knows for sure what's going on. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2012-Nov-2 8:59 am
said by Gork:I checked my log to find I have the same error sparsely littered throughout. The last four all came from 74.206.235.92 (registered to logoworks2.webair.com - Webair Internet Development out of NY state) to my WAN IP address.
A quick read of »www.symantec.com/connect ··· -packets leads me to believe this is not a setting you can change (at least via the web interface) in the router. My guess is that if a packet has an illegal combination of TCP flags the router always drops it, and for whatever reason logs it as well.
But the one thing which makes me ponder at the validity of my theory is the question as to why an iPod would be sending out packets with illegal combinatons of TCP flags...
I'll watch this thread and see if someone smarter knows for sure what's going on. You called? Obviously these mickymouse smallish devices are running apps that are not thoroughly developed. The zyxel, recognizes their inferiority quality and burps out their infantile attempts at networking. |
|
|
Anav,
I did think about that a possibility but was wondering whether the TCP packets are created at the app level. Doesn't that take place at an OS level somewhat below what the app developer has available to them (generally speaking). I don't have a lot of apps, one fairly mature home automation app, home maintenance app and a few others but they are all at least a few years into the development cycle. If its worth a shot I could try uninstalling them one by one.. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2012-Nov-2 9:56 am
Wondering if that happens on all routers but unless they can log or one views the log it may not be widely known? Surely it has to be a common occurrence if device (not router) related. |
|
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2012-Nov-2 11:02 am
"Abnormal TCP flag attack detected" ... I see those too on occasion. Mainly from the WAN side. |
|
1 edit |
In my case it results in the connection to the iPod Touch being blocked for a certain time. Any of you experience this? I guess you may not know, if its from the WAN side.
A search on Google shows its happening on various models of the Zyxel products. Could be a Zyxel issue? I guess the next step is tech support. |
|
HankSearching for a new Frontier Premium Member join:2002-05-21 Burlington, WV ARRIS NVG443B Ubiquiti NanoStation loco M2
|
Hank to Brano
Premium Member
2012-Nov-2 11:20 am
to Brano
said by Brano:"Abnormal TCP flag attack detected" ... I see those too on occasion. Mainly from the WAN side. I also see "Abnormal TCP flag attack detected" a couple to three times are week but on the WAN side. Talk about timing here is an alert I received while posting the above: No. Date/Time Source Destination Priority Category Note Message 1 2012-11-02 10:38:26 74.206.235.92 74.xx.xx.x alert firewall ACCESS BLOCK abnormal TCP flag attack detected, DROP |
|
|
FWIW, I changed the DNS to OpenDNS and no more alerts about Abnormal TCP flags. The DNS was previously set to 192.168.1.1 |
|
|
to whisper1
Hi.
It could be a good idea to hookup a hub with a PC to sniff the packets with Wireshark to determine if "abnormality" resides in packet itself or it's abnormal when seen by SPI only.
Regards. |
|
dnoyeBFerrous Phallus join:2000-10-09 Southfield, MI |
to whisper1
I'm getting this every time I access my Obi110 on 192.168.2.2 from my desktop at 192.168.0.3.
Obi110 web interface works fine until the packets have to pass through the UGS. Then the USG gets upset...
Wireshark is flagging frames as well when this happens. Labeling them as suspected retransmissions. Also, most frame lengths in the communication are 60 bytes. The ones complained about are over 180 bytes and some even 600 bytes.
I suppose I can live with this. Just means using the web interface will be a pain. Or I can temporarily connect my computer to the switch port giving me direct access to that subnet. Thus, removing UGS from the equation. |
|
|
Or in the switch you could give the VLAN your computer is on access to the VLAN this Obi110 device is on.
kirby |
|
dnoyeBFerrous Phallus join:2000-10-09 Southfield, MI |
dnoyeB
Member
2012-Dec-8 12:31 pm
said by Kirby Smith:Or in the switch you could give the VLAN your computer is on access to the VLAN this Obi110 device is on.
kirby Wouldn't matter. Even if they were on the same segment, being in different subnets means the data will still have to go through the router. |
|
|
With my Cisco switch, devices on VLAN1 can also be members of other VLANs so that the VLAN traffic can be monitored. Maybe that is too unique a capability to be a good suggestion for other switches.
kirby |
|
dnoyeBFerrous Phallus join:2000-10-09 Southfield, MI 2 edits |
to whisper1
I see what you are saying now. I would be concerned. In that case, the Obi device will hit two ports on the router that both belong to the same subnet. I suspect every device in the subnet would then get each Obi message twice. Well, ever message except the problem message that is not transmitted even once... |
|