A DoS attack on the TCP Listener

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Posts: 5
Joined: Mon Sep 02, 2019 9:44 am

A DoS attack on the TCP Listener

Post by superma333 » Tue Sep 24, 2019 8:50 am

Hi All

Today I found some strange behavior of our Softether VPN server: Some of our remote clients stop to connect to the server and after reading the Server's log I found some errors, that comes from IPs that our remote VPN clients should to connect from: A error is "A DoS attack on the TCP Listener (port 992) has been detected" followed by IP of from client network.

Do you have any other tips/ideas that could help me?

You do not have the required permissions to view the files attached to this post.

Posts: 62
Joined: Thu Sep 19, 2019 7:18 pm

Re: A DoS attack on the TCP Listener

Post by ozone » Tue Sep 24, 2019 11:12 pm

Hi Leo,

I've seen this in 2 different situations.
1- (legitimate) user was trying to (re)connect too often - too fast;
2- a genuine attempt to gain access by malicious party.

"1" can be identified by comparing the ip's of legit logins with the suspected DoS attackers IP in the log.
Barring ip-spoofing, only 2 is really bad. ("1" can be avoided by configuration)

To avoid being hacked, generally some things do spring to mind:
-Use AdminIP.txt;
-Disabe Webif;
-Disable unused services;
-Disable unused access ports;
-Change to non-standard port;
-Avoid using DDNS, hackers love those...

(Depending on situation, some routers may actually even stealth the open ports for common port-scans)

And if all else fails, there is even a setting in the SE configfile that disables the DoS detection: bool DisableDosProction
(not recommended)

Good luck.

Post Reply