Router keeps dropping out: "tcp reset attack is suspected"
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- My Router
- :
- Re: Router keeps dropping out: "tcp reset attack i...
Router keeps dropping out: "tcp reset attack is suspected"
20-07-2023 10:17 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
For the last week or so my router has been regularly dropping out. Checking the log I see "tcp reset attack is suspected" regularly before the dropouts. Any idea what's going on?
3. Firmware version: | Software version 4.7.5.1.83.8.289.1.3 Last updated 07/12/21 |
4. Board version: | Plusnet Hub One |
09:58:14, 20 Jul. | (83811.600000) PPPoE is down after 23 minutes uptime [Waiting for Underlying Connection (WAN Ethernet 7 - Down)] |
09:58:10, 20 Jul. | (83808.340000) PPP LCP Send Termination Request [User request] |
09:57:27, 20 Jul. | OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.83]:64201->[17.253.29.207]:443 on ppp3) |
09:56:58, 20 Jul. | BLOCKED 2 more packets (because of Packet invalid in connection) |
Re: Router keeps dropping out: "tcp reset attack is suspected"
20-07-2023 10:22 AM - edited 20-07-2023 10:23 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Welcome to the forums @LawTurley . It would be interesting, and a little more helpful to see a longer extract from your error logs. The Hub doing its job of blocking these 'attacks shouldn't cause the drops.
Re: Router keeps dropping out: "tcp reset attack is suspected"
20-07-2023 10:29 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Thanks @jab1 , not sure how many lines you feel would be useful, but here's the 7 mins or so leading up to the last dropout...
09:58:14, 20 Jul. | (83811.600000) PTM over DSL is down after 24 minutes uptime |
09:58:14, 20 Jul. | (83811.600000) PPPoE is down after 23 minutes uptime [Waiting for Underlying Connection (WAN Ethernet 7 - Down)] |
09:58:10, 20 Jul. | (83808.340000) PPP LCP Send Termination Request [User request] |
09:57:27, 20 Jul. | OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.83]:64201->[17.253.29.207]:443 on ppp3) |
09:56:58, 20 Jul. | BLOCKED 2 more packets (because of Packet invalid in connection) |
09:56:58, 20 Jul. | IN: BLOCK [16] Remote administration (TCP [185.224.128.17]:58922->[146.90.163.248]:8080 on ppp3) |
09:56:57, 20 Jul. | OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.83]:64199->[17.253.29.202]:443 on ppp3) |
09:56:56, 20 Jul. | OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.83]:64198->[17.253.29.202]:443 on ppp3) |
09:56:10, 20 Jul. | IN: ACCEPT [57] Connection closed (Port Forwarding: TCP [192.168.1.66]:39579 <--> [146.90.163.248]:39579 - - - [146.70.179.19]:19388 CLOSED/SYN_SENT ppp3 NAPT) |
09:56:10, 20 Jul. | IN: ACCEPT [54] Connection opened (Port Forwarding: TCP [192.168.1.66]:39579 <--> [146.90.163.248]:39579 - - - [146.70.179.19]:19388 CLOSED/SYN_SENT ppp3 NAPT) |
09:52:35, 20 Jul. | OUT: BLOCK [7] ICMP replay (ICMP type 3 code 3 192.168.1.83->162.159.135.232 on ppp3) |
09:52:09, 20 Jul. | IN: BLOCK [9] Packet invalid in connection (Invalid tcp flags for current tcp state: TCP [216.58.204.78]:443->[146.90.163.248]:64175 on ppp3) |
09:51:59, 20 Jul. | OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.104]:54006->[52.31.26.238]:443 on ppp3) |
09:51:46, 20 Jul. | BLOCKED 14 more packets (because of Packet invalid in connection) |
09:51:45, 20 Jul. | OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.104]:38974->[142.250.178.14]:443 on ppp3) |
09:51:23, 20 Jul. | OUT: BLOCK [7] ICMP replay (ICMP type 3 code 3 192.168.1.83->162.159.135.232 on ppp3) |
09:51:13, 20 Jul. | OUT: BLOCK [7] ICMP replay (ICMP type 3 code 3 192.168.1.83->162.159.136.232 on ppp3) |
09:51:12, 20 Jul. | OUT: BLOCK [7] ICMP replay (ICMP type 3 code 3 192.168.1.83->162.159.137.232 on ppp3) |
09:51:10, 20 Jul. | BLOCKED 2 more packets (because of Packet invalid in connection) |
09:51:10, 20 Jul. | BLOCKED 4 more packets (because of ICMP replay) |
09:51:09, 20 Jul. | BLOCKED 6 more packets (because of Packet invalid in connection) |
09:51:09, 20 Jul. |
Re: Router keeps dropping out: "tcp reset attack is suspected"
20-07-2023 10:37 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
That extract is a little more helpful, thanks, but it takes it slightly out of my knowledge area - I don't recall seeing some of those messages.
Mind if I tag a couple of more experienced members?
Re: Router keeps dropping out: "tcp reset attack is suspected"
20-07-2023 10:38 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@jab1 Sure, go ahead.
Re: Router keeps dropping out: "tcp reset attack is suspected"
20-07-2023 10:40 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@Townman , @Dan_the_Van - any ideas?
Re: Router keeps dropping out: "tcp reset attack is suspected"
20-07-2023 10:48 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I would investigate these messages
09:58:14, 20 Jul. | (83811.600000) PTM over DSL is down after 24 minutes uptime |
09:58:14, 20 Jul. | (83811.600000) PPPoE is down after 23 minutes uptime [Waiting for Underlying Connection (WAN Ethernet 7 - Down)] |
09:58:10, 20 Jul. | (83808.340000) PPP LCP Send Termination Request [User request] |
These messages are a port forward rule to a device which is currently turned off, the connection if from 147.70.179.19 which appears to be M247 Ltd
09:56:10, 20 Jul. | IN: ACCEPT [57] Connection closed (Port Forwarding: TCP [192.168.1.66]:39579 <--> [146.90.163.248]:39579 - - - [146.70.179.19]:19388 CLOSED/SYN_SENT ppp3 NAPT) |
09:56:10, 20 Jul. | IN: ACCEPT [54] Connection opened (Port Forwarding: TCP [192.168.1.66]:39579 <--> [146.90.163.248]:39579 - - - [146.70.179.19]:19388 CLOSED/SYN_SENT ppp3 NAPT) |
Other messages are the Hub's firewall blocking IN and OUT connections and are not unusually.
Re: Router keeps dropping out: "tcp reset attack is suspected"
20-07-2023 10:54 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@Dan_the_Van I agree entirely that the first block of reports would be my initial port of call. The second lot need more information from the OP to determine what port-forwarding rules they have set up?
I wasn't bothered about the other perfectly normal blocks, TBH.
Re: Router keeps dropping out: "tcp reset attack is suspected"
20-07-2023 11:09 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Are you asking if I've made any changes to the router's port forwarding rules? Because if so, no I haven't.
Re: Router keeps dropping out: "tcp reset attack is suspected"
20-07-2023 11:14 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
So, you have no forwarding rules set up?
Re: Router keeps dropping out: "tcp reset attack is suspected"
20-07-2023 11:30 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Sorry, I'm a bit rusty at router talk, but I haven't made any manual changes to the routers protocols at all.
Re: Router keeps dropping out: "tcp reset attack is suspected"
20-07-2023 11:31 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Firewall port forwarding rules can invisibly and unknowingly be created if "UPnP" is enabled in the router.
These UPnP port forwards can automatically be created by consumer devices such as media centres, games consoles, etc
BUT can also be generated by malicious software that may have infected a computer on your network.
I consider having UPnP enabled as security threat and would advise disabling it and restarting the router, and then manually adding any port forward rules necessary for the functioning of any of your consumer devices.
Re: Router keeps dropping out: "tcp reset attack is suspected"
20-07-2023 11:39 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Are the "PPP LCP Send Termination Request" coincident with attempting to upload a significant sized file, for example doing an online backup, or synchronizing a mobile phone to cloud storage ?
In the past there have been reports here of seeing "PPP LCP Send Termination Request" when the Hub One has it's upload path overwhelmed, and *I think* there was a firmware update that cured that issue.
Re: Router keeps dropping out: "tcp reset attack is suspected"
20-07-2023 11:40 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
The OP's Hub has the latest f/w, @Anonymous
Re: Router keeps dropping out: "tcp reset attack is suspected"
20-07-2023 11:51 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@Anonymous wrote:
Are the "PPP LCP Send Termination Request" coincident with attempting to upload a significant sized file, for example doing an online backup, or synchronizing a mobile phone to cloud storage ?
In the past there have been reports here of seeing "PPP LCP Send Termination Request" when the Hub One has it's upload path overwhelmed, and *I think* there was a firmware update that cured that issue.
No, nothing unusual going on at all. But I'll try what you suggested with the UPnP and see if that fixes it.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- My Router
- :
- Re: Router keeps dropping out: "tcp reset attack i...