Big uptick in “abnormal TCP flag attack detected” across all my devices today
Anyone else seeing this? I usually get one or two a day. Today I’m getting hundreds across all devices.
Accepted Solution
-
A log of "Abnormal TCP flag attack detected" means the firewall detects a potentially malicious network traffic pattern involving TCP flags, and drops these packets.
This issue occurs when the device receives packets with:
(1) ALL TCP flags bit are set at same time.
(2) SYN, FIN bits are set at same time.
(3) SYN, RST bits are set at same time.
(4) FIN, RST bits are set at same time. (usually occurs on the Mac OS)
(5) Only FIN bit is set.
(6) Only PSH bit is set.
(7) Only URG bit is set.If you are sure these packets are safe, enter the following CLI commands to disable this detection
Router# configure terminal
Router(config)# secure-policy abnormal_tcp_flag_detect deactivate0
All Replies
-
A log of "Abnormal TCP flag attack detected" means the firewall detects a potentially malicious network traffic pattern involving TCP flags, and drops these packets.
This issue occurs when the device receives packets with:
(1) ALL TCP flags bit are set at same time.
(2) SYN, FIN bits are set at same time.
(3) SYN, RST bits are set at same time.
(4) FIN, RST bits are set at same time. (usually occurs on the Mac OS)
(5) Only FIN bit is set.
(6) Only PSH bit is set.
(7) Only URG bit is set.If you are sure these packets are safe, enter the following CLI commands to disable this detection
Router# configure terminal
Router(config)# secure-policy abnormal_tcp_flag_detect deactivate0 -
Yes, went from 1 every few days to at least 1 per hour.
Something is going on out
0 -
Any update on this? We experience the same on some devices. Any countermeasures?
0 -
I can report the same on devices we support…
is there anything to protect the firewall from those attacks?0 -
Don't worry, the device drops the abnormal packets and generates a log when detecting them.
0 -
Thanks @Zyxel_James. I think the worry comes from the fact that not only a log entry is generated (which is fine) but also an alarm is risen and an alert emails sent out immediately. We receive a lot of alarm emails from our systems due to "Abnormal TCP flag attack" - more serious issues can be overseen in this situation.
I know from another discussion in this forum that the log-level for "abnormal tcp traffic detected, destination port is zero, DROP" has been changed from alarm to a lower level. Should not the same principle be applied to the "Abnormal TCP flag attack"?
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight