abnormal TCP traffic detected

User1234
User1234 Posts: 4
Hi all

I have a Question.
Our Firewall have an alert called: abnormal TCP traffic detected
Is there a real attack or danger for us or it´s just an ´´normal´´ info?

best regards
«1

All Replies

  • PeterUK
    PeterUK Posts: 2,221
    100 Answers 1000 Comments Friend Collector Fifth Anniversary
     Guru Member

    Its just traffic that seems odd to the firewall and drops it.


  • User1234
    User1234 Posts: 4
    Thanks for the answer, so there is nothing to do?
  • USG_User
    USG_User Posts: 365
    5 Answers First Comment Friend Collector Fifth Anniversary
     Master Member
    But this "abnormal TCP traffic with destination port zero" is more and more annoying since we get an alert email every time, but don't want to generally switch off those alert emails.
  • User1234
    User1234 Posts: 4
    Yes that´s real annoying.
    The Source of this abnormal TCP traffic is in our case always from  Chunghwa Telecom Co. Ltd. in Taiwan.
  • USG_User
    USG_User Posts: 365
    5 Answers First Comment Friend Collector Fifth Anniversary
     Master Member
    edited May 2022
    In the meantime we get this abnormal traffic from many different IPs, mostly originated in asian region, too. We're  maintaining an "bad" IP list, collected in a "port_zero_group" and created an additional security policy control rule which immediately drops these packets without alert log. But since it become more and more "bad" IPs, maintaining of such a list is not practicable anymore.
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,182
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
     Zyxel Employee
    When device receives a UDP/TCP packet with source port zero or destination port zero, the device will drop this packet and generate a log. This behavior is a MUST for ICSA firewall certification, so the logs cannot be turned off and it is not configurable.
    We plan to change the log level as "debug level" in the future, then system will not notify this attack as alert. Here is another post for your reference. 

    Click this link to start: https://bit.ly/3R2Wx52
    Emily

  • User1234
    User1234 Posts: 4
    Hello

    Ok, thanks for the Info and the Link.

    Regards
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,182
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
     Zyxel Employee
    In the latest version 5.30, the log level of "abnormal TCP traffic detected" is moved to "notice" level.
    It means you won't get alert notification mail when these logs appear. They appear on the Monitor > Log only.  

    Click this link to start: https://bit.ly/3R2Wx52
    Emily

  • USG_User
    USG_User Posts: 365
    5 Answers First Comment Friend Collector Fifth Anniversary
     Master Member
    In the latest version 5.30, the log level of "abnormal TCP traffic detected" is moved to "notice" level.
    Hope, this will be implemented in 4.71 FW for USG as well.
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,182
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
     Zyxel Employee
    It is also implemented in the latest firmware of 4.72. We will release the latest version in New & Release soon.

    Click this link to start: https://bit.ly/3R2Wx52
    Emily

Security Highlight