dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5452
share rss forum feed

whisper1

join:2007-11-28
Schomberg, ON

Abnormal TCP flag attack detected

Click for full size
ZyWALL USG20W

This message appears in the log a few times a day, the device connected to the IP address is an Apple iPod Touch. ADP is disabled so I'm not sure which part of the ZyWALL is generating the message.
Every time the message appears it corresponds to the iPod not being able to connect to the internet.

Any one know how to prevent the ZyWALL blocking this type of traffic? A quick search on Google shows that a few other ZyWALL users have experiences the same problem without any real resolution.

Thanks.


lacibaci

join:2000-04-10
Export, PA
I just observed the same message. In my case it was my VOIP ATA (OBi100) as a source and Comcast's DNS server as a destination. I have USG50.


Gork
Ou812ic

join:2001-10-06
Bountiful, UT

1 recommendation

reply to whisper1
I checked my log to find I have the same error sparsely littered throughout. The last four all came from 74.206.235.92 (registered to logoworks2.webair.com - Webair Internet Development out of NY state) to my WAN IP address.

A quick read of »www.symantec.com/connect/article···-packets leads me to believe this is not a setting you can change (at least via the web interface) in the router. My guess is that if a packet has an illegal combination of TCP flags the router always drops it, and for whatever reason logs it as well.

But the one thing which makes me ponder at the validity of my theory is the question as to why an iPod would be sending out packets with illegal combinatons of TCP flags...

I'll watch this thread and see if someone smarter knows for sure what's going on.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
said by Gork:

I checked my log to find I have the same error sparsely littered throughout. The last four all came from 74.206.235.92 (registered to logoworks2.webair.com - Webair Internet Development out of NY state) to my WAN IP address.

A quick read of »www.symantec.com/connect/article···-packets leads me to believe this is not a setting you can change (at least via the web interface) in the router. My guess is that if a packet has an illegal combination of TCP flags the router always drops it, and for whatever reason logs it as well.

But the one thing which makes me ponder at the validity of my theory is the question as to why an iPod would be sending out packets with illegal combinatons of TCP flags...

I'll watch this thread and see if someone smarter knows for sure what's going on.

You called? Obviously these mickymouse smallish devices are running apps that are not thoroughly developed. The zyxel, recognizes their inferiority quality and burps out their infantile attempts at networking.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

whisper1

join:2007-11-28
Schomberg, ON
Anav,

I did think about that a possibility but was wondering whether the TCP packets are created at the app level. Doesn't that take place at an OS level somewhat below what the app developer has available to them (generally speaking). I don't have a lot of apps, one fairly mature home automation app, home maintenance app and a few others but they are all at least a few years into the development cycle.
If its worth a shot I could try uninstalling them one by one..


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
Wondering if that happens on all routers but unless they can log or one views the log it may not be widely known? Surely it has to be a common occurrence if device (not router) related.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
"Abnormal TCP flag attack detected" ... I see those too on occasion. Mainly from the WAN side.

whisper1

join:2007-11-28
Schomberg, ON

1 edit
In my case it results in the connection to the iPod Touch being blocked for a certain time. Any of you experience this? I guess you may not know, if its from the WAN side.

A search on Google shows its happening on various models of the Zyxel products. Could be a Zyxel issue? I guess the next step is tech support.


Hank
Searching for a new Frontier
Premium
join:2002-05-21
Burlington, WV
kudos:3
Reviews:
·Frontier Communi..
reply to Brano
said by Brano:

"Abnormal TCP flag attack detected" ... I see those too on occasion. Mainly from the WAN side.

I also see "Abnormal TCP flag attack detected" a couple to three times are week but on the WAN side.

Talk about timing here is an alert I received while posting the above:

No. Date/Time Source Destination
Priority Category Note
Message
1 2012-11-02 10:38:26 74.206.235.92 74.xx.xx.x
alert firewall ACCESS BLOCK
abnormal TCP flag attack detected, DROP

whisper1

join:2007-11-28
Schomberg, ON
reply to whisper1
FWIW, I changed the DNS to OpenDNS and no more alerts about Abnormal TCP flags. The DNS was previously set to 192.168.1.1

OGalati

join:2005-08-19
Argentina
reply to whisper1
Hi.

It could be a good idea to hookup a hub with a PC to sniff the packets with Wireshark to determine if "abnormality" resides in packet itself or it's abnormal when seen by SPI only.

Regards.


dnoyeB
Ferrous Phallus

join:2000-10-09
Southfield, MI
kudos:1
Reviews:
·Comcast
reply to whisper1
I'm getting this every time I access my Obi110 on 192.168.2.2 from my desktop at 192.168.0.3.

Obi110 web interface works fine until the packets have to pass through the UGS. Then the USG gets upset...

Wireshark is flagging frames as well when this happens. Labeling them as suspected retransmissions. Also, most frame lengths in the communication are 60 bytes. The ones complained about are over 180 bytes and some even 600 bytes.

I suppose I can live with this. Just means using the web interface will be a pain. Or I can temporarily connect my computer to the switch port giving me direct access to that subnet. Thus, removing UGS from the equation.
--
dnoyeB
"Then said I, Wisdom [is] better than strength: nevertheless the poor man's wisdom [is] despised, and his words are not heard. " Ecclesiastes 9:16

Kirby Smith

join:2001-01-26
Derry, NH
Or in the switch you could give the VLAN your computer is on access to the VLAN this Obi110 device is on.

kirby


dnoyeB
Ferrous Phallus

join:2000-10-09
Southfield, MI
kudos:1
Reviews:
·Comcast
said by Kirby Smith:

Or in the switch you could give the VLAN your computer is on access to the VLAN this Obi110 device is on.

kirby

Wouldn't matter. Even if they were on the same segment, being in different subnets means the data will still have to go through the router.
--
dnoyeB
"Then said I, Wisdom [is] better than strength: nevertheless the poor man's wisdom [is] despised, and his words are not heard. " Ecclesiastes 9:16

Kirby Smith

join:2001-01-26
Derry, NH
With my Cisco switch, devices on VLAN1 can also be members of other VLANs so that the VLAN traffic can be monitored. Maybe that is too unique a capability to be a good suggestion for other switches.

kirby


dnoyeB
Ferrous Phallus

join:2000-10-09
Southfield, MI
kudos:1
Reviews:
·Comcast

2 edits
reply to whisper1
I see what you are saying now. I would be concerned. In that case, the Obi device will hit two ports on the router that both belong to the same subnet. I suspect every device in the subnet would then get each Obi message twice. Well, ever message except the problem message that is not transmitted even once...

--
dnoyeB

"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard. " Ecclesiastes
9:16