Hi All
Today I found some strange behavior of our Softether VPN server: Some of our remote clients stop to connect to the server and after reading the Server's log I found some errors, that comes from IPs that our remote VPN clients should to connect from: A error is "A DoS attack on the TCP Listener (port 992) has been detected" followed by IP of from client network.
Do you have any other tips/ideas that could help me?
Leo
A DoS attack on the TCP Listener
-
- Posts: 5
- Joined: Mon Sep 02, 2019 9:44 am
A DoS attack on the TCP Listener
You do not have the required permissions to view the files attached to this post.
-
- Posts: 61
- Joined: Thu Sep 19, 2019 7:18 pm
Re: A DoS attack on the TCP Listener
Hi Leo,
I've seen this in 2 different situations.
1- (legitimate) user was trying to (re)connect too often - too fast;
2- a genuine attempt to gain access by malicious party.
"1" can be identified by comparing the ip's of legit logins with the suspected DoS attackers IP in the log.
Barring ip-spoofing, only 2 is really bad. ("1" can be avoided by configuration)
To avoid being hacked, generally some things do spring to mind:
-Use AdminIP.txt;
-Disabe Webif;
-Disable unused services;
-Disable unused access ports;
-Change to non-standard port;
-Avoid using DDNS, hackers love those...
(Depending on situation, some routers may actually even stealth the open ports for common port-scans)
And if all else fails, there is even a setting in the SE configfile that disables the DoS detection: bool DisableDosProction
(not recommended)
Good luck.
I've seen this in 2 different situations.
1- (legitimate) user was trying to (re)connect too often - too fast;
2- a genuine attempt to gain access by malicious party.
"1" can be identified by comparing the ip's of legit logins with the suspected DoS attackers IP in the log.
Barring ip-spoofing, only 2 is really bad. ("1" can be avoided by configuration)
To avoid being hacked, generally some things do spring to mind:
-Use AdminIP.txt;
-Disabe Webif;
-Disable unused services;
-Disable unused access ports;
-Change to non-standard port;
-Avoid using DDNS, hackers love those...
(Depending on situation, some routers may actually even stealth the open ports for common port-scans)
And if all else fails, there is even a setting in the SE configfile that disables the DoS detection: bool DisableDosProction
(not recommended)
Good luck.