abnormal TCP traffic detected

User1234
User1234 Posts: 4
Hi all

I have a Question.
Our Firewall have an alert called: abnormal TCP traffic detected
Is there a real attack or danger for us or it´s just an ´´normal´´ info?

best regards
«1

All Replies

  • PeterUK
    PeterUK Posts: 1,343  Guru Member

    Its just traffic that seems odd to the firewall and drops it.


  • User1234
    User1234 Posts: 4
    Thanks for the answer, so there is nothing to do?
  • USG_User
    USG_User Posts: 309  Master Member
    But this "abnormal TCP traffic with destination port zero" is more and more annoying since we get an alert email every time, but don't want to generally switch off those alert emails.
  • User1234
    User1234 Posts: 4
    Yes that´s real annoying.
    The Source of this abnormal TCP traffic is in our case always from  Chunghwa Telecom Co. Ltd. in Taiwan.
  • USG_User
    USG_User Posts: 309  Master Member
    edited May 24
    In the meantime we get this abnormal traffic from many different IPs, mostly originated in asian region, too. We're  maintaining an "bad" IP list, collected in a "port_zero_group" and created an additional security policy control rule which immediately drops these packets without alert log. But since it become more and more "bad" IPs, maintaining of such a list is not practicable anymore.
  • Zyxel_Emily
    Zyxel_Emily Posts: 896  Zyxel Employee
    When device receives a UDP/TCP packet with source port zero or destination port zero, the device will drop this packet and generate a log. This behavior is a MUST for ICSA firewall certification, so the logs cannot be turned off and it is not configurable.
    We plan to change the log level as "debug level" in the future, then system will not notify this attack as alert. Here is another post for your reference. 
  • User1234
    User1234 Posts: 4
    Hello

    Ok, thanks for the Info and the Link.

    Regards
  • Zyxel_Emily
    Zyxel_Emily Posts: 896  Zyxel Employee
    In the latest version 5.30, the log level of "abnormal TCP traffic detected" is moved to "notice" level.
    It means you won't get alert notification mail when these logs appear. They appear on the Monitor > Log only.  

  • USG_User
    USG_User Posts: 309  Master Member
    In the latest version 5.30, the log level of "abnormal TCP traffic detected" is moved to "notice" level.
    Hope, this will be implemented in 4.71 FW for USG as well.
  • Zyxel_Emily
    Zyxel_Emily Posts: 896  Zyxel Employee
    It is also implemented in the latest firmware of 4.72. We will release the latest version in New & Release soon.

Security Highlight