Ask Your Question
0

I'd like to find an end-point device that generates an error

asked 2019-12-18 05:32:05 +0000

AlexatCube gravatar image

updated 2019-12-18 09:53:21 +0000

grahamb gravatar image

Hello,

I recently installed a router at an office. The problem is that the new routers stops working almost every two weeks. Therefore, I need to un-plug and re-plug its power cord to make it work again.

I checked the logs page of the router and as attached, "Detected ping of death attack" log is detected every few seconds. I'm pretty sure that it's not actually something like hacking. So I just want to find the end-point device that keeps generating the log.

I just downloaded and installed the Wireshark on my laptop and went over some blog posts about it. However, I couldn't find something that can be applied to my situation. Can anybody help me fix resolve the issue please?

Thanks,

Just noticed that I can't upload an image without having an account for this site. So I'm adding the logs here

1   2019-12-18 14:29:18 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
2   2019-12-18 14:29:11 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
3   2019-12-18 14:29:05 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
4   2019-12-18 14:28:58 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
5   2019-12-18 14:28:52 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
6   2019-12-18 14:28:45 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
7   2019-12-18 14:28:39 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
8   2019-12-18 14:28:32 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
9   2019-12-18 14:28:26 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
edit retag flag offensive close merge delete

Comments

More:

3   2019-12-18 14:29:05 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
4   2019-12-18 14:28:58 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
5   2019-12-18 14:28:52 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
6   2019-12-18 14:28:45 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
AlexatCube gravatar imageAlexatCube ( 2019-12-18 05:34:31 +0000 )edit

What is the model of the router?

grahamb gravatar imagegrahamb ( 2019-12-18 09:59:23 +0000 )edit

it's a TP-Link R600VPN

AlexatCube gravatar imageAlexatCube ( 2019-12-19 08:47:35 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2019-12-19 02:18:47 +0000

Chuckc gravatar image

"Ping" and "attack" could be a red herring. Without knowing how the device detects this there could be other causes.
Here is an example from Cisco that doesn't look at the ICMP Type or Code fields:

Triggers when a IP datagram is received with the protocol sig_desc of the IP header set to 1(ICMP), the Last Fragment bit is set, and ( IP offset * 8 ) + ( IP data length) > 65535 that is to say, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8 byte units) plus the rest of the packet is greater than the maximum size for an IP packet. This indicates a denial of service attack.


ICMP is used for a lot more than just Ping request/replies.
It's possible that something in the network is sending an improperly formated ICMP packet.
ICMP packets generated by an IP phone:
https://support.huawei.com/enterprise...

It doesn't look like the TL-R600VPN supports packet capture. It does support port mirroring.
That would require a site visit and a wired connection to your laptop running Wireshark.

edit flag offensive delete link more

Comments

I installed two R600VPN at different locations and they have the same problem. I just uncheck the security options that were checked as deafult. I'll check what happens.

Thanks!

AlexatCube gravatar imageAlexatCube ( 2019-12-19 08:48:49 +0000 )edit

Oh both sites has a surveilence system so I needed to add a rule like NAT. but I don't think that would be a reason for this..

AlexatCube gravatar imageAlexatCube ( 2019-12-19 08:51:56 +0000 )edit
0

answered 2019-12-18 09:59:07 +0000

grahamb gravatar image

It's likely that the "attacking" device for your "ping of death" is external to your firewall, and probably spoofed for good measure.

To see anything with Wireshark you'll need to arrange a capture on the interface of the firewall that is receiving these packets. The firewall may be able to perform a capture itself that you can then inspect with Wireshark.

See the Wiki page on Ethernet capture setup for more info, with particular interest on capturing switched networks.

edit flag offensive delete link more

Comments

I will set a schedule for a visit when the problem occurs again. I just unchecked everything in secury options that were checked as default.

thanks,

AlexatCube gravatar imageAlexatCube ( 2019-12-19 08:49:50 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-12-18 05:32:05 +0000

Seen: 1,678 times

Last updated: Dec 19 '19