cancel
Showing results for 
Search instead for 
Did you mean: 

Router keeps dropping out: "tcp reset attack is suspected"

LawTurley
Dabbler
Posts: 10
Thanks: 1
Registered: ‎20-07-2023

Router keeps dropping out: "tcp reset attack is suspected"

For the last week or so my router has been regularly dropping out. Checking the log I see "tcp reset attack is suspected" regularly before the dropouts. Any idea what's going on?

3. Firmware version:Software version 4.7.5.1.83.8.289.1.3 Last updated 07/12/21
4. Board version:Plusnet Hub One

 

09:58:14, 20 Jul.(83811.600000) PPPoE is down after 23 minutes uptime [Waiting for Underlying Connection (WAN Ethernet 7 -​ Down)]
09:58:10, 20 Jul.(83808.340000) PPP LCP Send Termination Request [User request]
09:57:27, 20 Jul.OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.83]:64201-​>[17.253.29.207]:443 on ppp3)
09:56:58, 20 Jul.BLOCKED 2 more packets (because of Packet invalid in connection)
24 REPLIES 24
jab1
Legend
Posts: 18,919
Thanks: 6,201
Fixes: 286
Registered: ‎24-02-2012

Re: Router keeps dropping out: "tcp reset attack is suspected"

Welcome to the forums @LawTurley . It would be interesting, and a little more helpful to see a longer extract from your error logs. The Hub doing its job of blocking these 'attacks shouldn't cause the drops.

John
LawTurley
Dabbler
Posts: 10
Thanks: 1
Registered: ‎20-07-2023

Re: Router keeps dropping out: "tcp reset attack is suspected"

Thanks @jab1 , not sure how many lines you feel would be useful, but here's the 7 mins or so leading up to the last dropout...

09:58:14, 20 Jul. (83811.600000) PTM over DSL is down after 24 minutes uptime
09:58:14, 20 Jul. (83811.600000) PPPoE is down after 23 minutes uptime [Waiting for Underlying Connection (WAN Ethernet 7 -​ Down)]
09:58:10, 20 Jul. (83808.340000) PPP LCP Send Termination Request [User request]
09:57:27, 20 Jul. OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.83]:64201-​>[17.253.29.207]:443 on ppp3)
09:56:58, 20 Jul. BLOCKED 2 more packets (because of Packet invalid in connection)
09:56:58, 20 Jul. IN: BLOCK [16] Remote administration (TCP [185.224.128.17]:58922-​>[146.90.163.248]:8080 on ppp3)
09:56:57, 20 Jul. OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.83]:64199-​>[17.253.29.202]:443 on ppp3)
09:56:56, 20 Jul. OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.83]:64198-​>[17.253.29.202]:443 on ppp3)
09:56:10, 20 Jul. IN: ACCEPT [57] Connection closed (Port Forwarding: TCP [192.168.1.66]:39579 <-​-​> [146.90.163.248]:39579 -​ -​ -​ [146.70.179.19]:19388 CLOSED/SYN_SENT ppp3 NAPT)
09:56:10, 20 Jul. IN: ACCEPT [54] Connection opened (Port Forwarding: TCP [192.168.1.66]:39579 <-​-​> [146.90.163.248]:39579 -​ -​ -​ [146.70.179.19]:19388 CLOSED/SYN_SENT ppp3 NAPT)
09:52:35, 20 Jul. OUT: BLOCK [7] ICMP replay (ICMP type 3 code 3 192.168.1.83-​>162.159.135.232 on ppp3)
09:52:09, 20 Jul. IN: BLOCK [9] Packet invalid in connection (Invalid tcp flags for current tcp state: TCP [216.58.204.78]:443-​>[146.90.163.248]:64175 on ppp3)
09:51:59, 20 Jul. OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.104]:54006-​>[52.31.26.238]:443 on ppp3)
09:51:46, 20 Jul. BLOCKED 14 more packets (because of Packet invalid in connection)
09:51:45, 20 Jul. OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.104]:38974-​>[142.250.178.14]:443 on ppp3)
09:51:23, 20 Jul. OUT: BLOCK [7] ICMP replay (ICMP type 3 code 3 192.168.1.83-​>162.159.135.232 on ppp3)
09:51:13, 20 Jul. OUT: BLOCK [7] ICMP replay (ICMP type 3 code 3 192.168.1.83-​>162.159.136.232 on ppp3)
09:51:12, 20 Jul. OUT: BLOCK [7] ICMP replay (ICMP type 3 code 3 192.168.1.83-​>162.159.137.232 on ppp3)
09:51:10, 20 Jul. BLOCKED 2 more packets (because of Packet invalid in connection)
09:51:10, 20 Jul. BLOCKED 4 more packets (because of ICMP replay)
09:51:09, 20 Jul. BLOCKED 6 more packets (because of Packet invalid in connection)
09:51:09, 20 Jul.
jab1
Legend
Posts: 18,919
Thanks: 6,201
Fixes: 286
Registered: ‎24-02-2012

Re: Router keeps dropping out: "tcp reset attack is suspected"

That extract is a little more helpful, thanks, but it takes it slightly out of my knowledge area - I don't recall seeing some of those messages.

Mind if I tag a couple of more experienced members?

John
LawTurley
Dabbler
Posts: 10
Thanks: 1
Registered: ‎20-07-2023

Re: Router keeps dropping out: "tcp reset attack is suspected"

@jab1 Sure, go ahead.

jab1
Legend
Posts: 18,919
Thanks: 6,201
Fixes: 286
Registered: ‎24-02-2012

Re: Router keeps dropping out: "tcp reset attack is suspected"

@Townman  , @Dan_the_Van  - any ideas?

John
Dan_the_Van
Hero
Posts: 3,036
Thanks: 1,469
Fixes: 90
Registered: ‎25-06-2007

Re: Router keeps dropping out: "tcp reset attack is suspected"

@jab1 

I would investigate these messages

09:58:14, 20 Jul. (83811.600000) PTM over DSL is down after 24 minutes uptime
09:58:14, 20 Jul. (83811.600000) PPPoE is down after 23 minutes uptime [Waiting for Underlying Connection (WAN Ethernet 7 -​ Down)]
09:58:10, 20 Jul. (83808.340000) PPP LCP Send Termination Request [User request]

 

These messages are a port forward rule to a device which is currently turned off, the connection if from 147.70.179.19 which appears to be M247 Ltd

09:56:10, 20 Jul. IN: ACCEPT [57] Connection closed (Port Forwarding: TCP [192.168.1.66]:39579 <-​-​> [146.90.163.248]:39579 -​ -​ -​ [146.70.179.19]:19388 CLOSED/SYN_SENT ppp3 NAPT)
09:56:10, 20 Jul. IN: ACCEPT [54] Connection opened (Port Forwarding: TCP [192.168.1.66]:39579 <-​-​> [146.90.163.248]:39579 -​ -​ -​ [146.70.179.19]:19388 CLOSED/SYN_SENT ppp3 NAPT)

 

Other messages are the Hub's firewall blocking IN and OUT connections and are not unusually.

 

jab1
Legend
Posts: 18,919
Thanks: 6,201
Fixes: 286
Registered: ‎24-02-2012

Re: Router keeps dropping out: "tcp reset attack is suspected"

@Dan_the_Van I agree entirely that the first block of reports would be my initial port of call.  The second lot need more information from the OP to determine what port-forwarding rules they have set up?

I wasn't bothered about the other perfectly normal blocks, TBH.

John
LawTurley
Dabbler
Posts: 10
Thanks: 1
Registered: ‎20-07-2023

Re: Router keeps dropping out: "tcp reset attack is suspected"

Are you asking if I've made any changes to the router's port forwarding rules? Because if so, no I haven't.

jab1
Legend
Posts: 18,919
Thanks: 6,201
Fixes: 286
Registered: ‎24-02-2012

Re: Router keeps dropping out: "tcp reset attack is suspected"

So, you have no forwarding rules set up?

John
LawTurley
Dabbler
Posts: 10
Thanks: 1
Registered: ‎20-07-2023

Re: Router keeps dropping out: "tcp reset attack is suspected"

Sorry, I'm a bit rusty at router talk, but I haven't made any manual changes to the routers protocols at all. 

Anonymous
Not applicable

Re: Router keeps dropping out: "tcp reset attack is suspected"

Firewall port forwarding rules can invisibly and unknowingly be created if "UPnP" is enabled in the router.

These UPnP port forwards can automatically be created by consumer devices such as media centres, games consoles, etc

BUT can also be generated by malicious software that may have infected a computer on your network.

I consider having UPnP enabled as security threat and would advise disabling it and restarting the router, and then manually adding any port forward rules necessary for the functioning of any of your consumer devices.

Anonymous
Not applicable

Re: Router keeps dropping out: "tcp reset attack is suspected"

Are the  "PPP LCP Send Termination Request"  coincident with attempting to upload a significant sized file, for example doing an online backup, or synchronizing a mobile phone to cloud storage ?

In the past there have been reports here of seeing "PPP LCP Send Termination Request" when the Hub One has it's upload path overwhelmed, and *I think* there was a firmware update that cured that issue.

jab1
Legend
Posts: 18,919
Thanks: 6,201
Fixes: 286
Registered: ‎24-02-2012

Re: Router keeps dropping out: "tcp reset attack is suspected"

The OP's Hub has the latest f/w, @Anonymous 

John
LawTurley
Dabbler
Posts: 10
Thanks: 1
Registered: ‎20-07-2023

Re: Router keeps dropping out: "tcp reset attack is suspected"


@Anonymous wrote:

Are the  "PPP LCP Send Termination Request"  coincident with attempting to upload a significant sized file, for example doing an online backup, or synchronizing a mobile phone to cloud storage ?

In the past there have been reports here of seeing "PPP LCP Send Termination Request" when the Hub One has it's upload path overwhelmed, and *I think* there was a firmware update that cured that issue.


No, nothing unusual going on at all. But I'll try what you suggested with the UPnP and see if that fixes it.