Big uptick in “abnormal TCP flag attack detected” across all my devices today

Options
ChipConnJohn
ChipConnJohn Posts: 44  Freshman Member
First Anniversary 10 Comments Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula

Anyone else seeing this? I usually get one or two a day. Today I’m getting hundreds across all devices.

Accepted Solution

  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    A log of "Abnormal TCP flag attack detected" means the firewall detects a potentially malicious network traffic pattern involving TCP flags, and drops these packets.

    This issue occurs when the device receives packets with:
    (1) ALL TCP flags bit are set at same time.
    (2) SYN, FIN bits are set at same time.
    (3) SYN, RST bits are set at same time.
    (4) FIN, RST bits are set at same time. (usually occurs on the Mac OS)
    (5) Only FIN bit is set.
    (6) Only PSH bit is set.
    (7) Only URG bit is set.

    If you are sure these packets are safe, enter the following CLI commands to disable this detection
    Router# configure terminal
    Router(config)# secure-policy abnormal_tcp_flag_detect deactivate

All Replies

  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    A log of "Abnormal TCP flag attack detected" means the firewall detects a potentially malicious network traffic pattern involving TCP flags, and drops these packets.

    This issue occurs when the device receives packets with:
    (1) ALL TCP flags bit are set at same time.
    (2) SYN, FIN bits are set at same time.
    (3) SYN, RST bits are set at same time.
    (4) FIN, RST bits are set at same time. (usually occurs on the Mac OS)
    (5) Only FIN bit is set.
    (6) Only PSH bit is set.
    (7) Only URG bit is set.

    If you are sure these packets are safe, enter the following CLI commands to disable this detection
    Router# configure terminal
    Router(config)# secure-policy abnormal_tcp_flag_detect deactivate

  • RichP
    Options

    Yes, went from 1 every few days to at least 1 per hour.

    Something is going on out

  • st3213
    Options

    Any update on this? We experience the same on some devices. Any countermeasures?

  • ProgThrSup
    Options

    I can report the same on devices we support…
    is there anything to protect the firewall from those attacks?

  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    @ProgThrSup @st3213 @RichP

    Don't worry, the device drops the abnormal packets and generates a log when detecting them.

  • st3213
    Options

    Thanks @Zyxel_James. I think the worry comes from the fact that not only a log entry is generated (which is fine) but also an alarm is risen and an alert emails sent out immediately. We receive a lot of alarm emails from our systems due to "Abnormal TCP flag attack" - more serious issues can be overseen in this situation.

    I know from another discussion in this forum that the log-level for "abnormal tcp traffic detected, destination port is zero, DROP" has been changed from alarm to a lower level. Should not the same principle be applied to the "Abnormal TCP flag attack"?

Security Highlight