What does the log “abnormal TCP flag attack detected” mean?

Zyxel_James
Zyxel_James Posts: 610  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer

Question: What does the log “abnormal TCP flag attack detected” mean?

Answer:

A log of "Abnormal TCP flag attack detected" means the firewall detects a potentially malicious network traffic pattern involving TCP flags, and drops these packets.

This issue occurs when the device receives packets with:
(1) ALL TCP flags bit are set at same time.
(2) SYN, FIN bits are set at same time.
(3) SYN, RST bits are set at same time.
(4) FIN, RST bits are set at same time. (usually occurs on the Mac OS)
(5) Only FIN bit is set.
(6) Only PSH bit is set.
(7) Only URG bit is set.

If you are sure these packets are safe, enter the following CLI commands to disable this detection
Router# configure terminal
Router(config)# secure-policy abnormal_tcp_flag_detect deactivate