THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

I'd like to find an end-point device that generates an error

  • retag add tags

Hello,

I recently installed a router at an office. The problem is that the new routers stops working almost every two weeks. Therefore, I need to un-plug and re-plug its power cord to make it work again.

I checked the logs page of the router and as attached, "Detected ping of death attack" log is detected every few seconds. I'm pretty sure that it's not actually something like hacking. So I just want to find the end-point device that keeps generating the log.

I just downloaded and installed the Wireshark on my laptop and went over some blog posts about it. However, I couldn't find something that can be applied to my situation. Can anybody help me fix resolve the issue please?

Thanks,

Just noticed that I can't upload an image without having an account for this site. So I'm adding the logs here

1   2019-12-18 14:29:18 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
2   2019-12-18 14:29:11 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
3   2019-12-18 14:29:05 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
4   2019-12-18 14:28:58 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
5   2019-12-18 14:28:52 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
6   2019-12-18 14:28:45 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
7   2019-12-18 14:28:39 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
8   2019-12-18 14:28:32 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
9   2019-12-18 14:28:26 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
AlexatCube's avatar
1
AlexatCube
asked 2019-12-18 05:32:05 +0000
grahamb's avatar
23.8k
grahamb
updated 2019-12-18 09:53:21 +0000
edit flag offensive 0 remove flag close merge delete

Comments

More:

3   2019-12-18 14:29:05 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
4   2019-12-18 14:28:58 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
5   2019-12-18 14:28:52 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
6   2019-12-18 14:28:45 Firewall    WARNING Detected Ping of Death attack. Dropped 3 packets.
AlexatCube's avatar AlexatCube (2019-12-18 05:34:31 +0000) edit
more
  • delete

What is the model of the router?

grahamb's avatar grahamb (2019-12-18 09:59:23 +0000) edit
more
  • delete

it's a TP-Link R600VPN

AlexatCube's avatar AlexatCube (2019-12-19 08:47:35 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

"Ping" and "attack" could be a red herring. Without knowing how the device detects this there could be other causes.
Here is an example from Cisco that doesn't look at the ICMP Type or Code fields:

Triggers when a IP datagram is received with the protocol sig_desc of the IP header set to 1(ICMP), the Last Fragment bit is set, and ( IP offset * 8 ) + ( IP data length) > 65535 that is to say, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8 byte units) plus the rest of the packet is greater than the maximum size for an IP packet. This indicates a denial of service attack.


ICMP is used for a lot more than just Ping request/replies.
It's possible that something in the network is sending an improperly formated ICMP packet.
ICMP packets generated by an IP phone:
https://support.huawei.com/enterprise...

It doesn't look like the TL-R600VPN supports packet capture. It does support port mirroring.
That would require a site visit and a wired connection to your laptop running Wireshark.

Chuckc's avatar
3k
Chuckc
answered 2019-12-19 02:18:47 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I installed two R600VPN at different locations and they have the same problem. I just uncheck the security options that were checked as deafult. I'll check what happens.

Thanks!

AlexatCube's avatar AlexatCube (2019-12-19 08:48:49 +0000) edit
more
  • delete

Oh both sites has a surveilence system so I needed to add a rule like NAT. but I don't think that would be a reason for this..

AlexatCube's avatar AlexatCube (2019-12-19 08:51:56 +0000) edit
more
  • delete
add a comment see more comments
0

It's likely that the "attacking" device for your "ping of death" is external to your firewall, and probably spoofed for good measure.

To see anything with Wireshark you'll need to arrange a capture on the interface of the firewall that is receiving these packets. The firewall may be able to perform a capture itself that you can then inspect with Wireshark.

See the Wiki page on Ethernet capture setup for more info, with particular interest on capturing switched networks.

grahamb's avatar
23.8k
grahamb
answered 2019-12-18 09:59:07 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I will set a schedule for a visit when the problem occurs again. I just unchecked everything in secury options that were checked as default.

thanks,

AlexatCube's avatar AlexatCube (2019-12-19 08:49:50 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer