A DoS attack on the TCP Listener

[superma333]

Hi All

Today I found some strange behavior of our Softether VPN server: Some of our remote clients stop to connect to the server and after reading the Server's log I found some errors, that comes from IPs that our remote VPN clients should to connect from: A error is "A DoS attack on the TCP Listener (port 992) has been detected" followed by IP of from client network.

Do you have any other tips/ideas that could help me?

Leo

[ozone]

Hi Leo,

I've seen this in 2 different situations.
1- (legitimate) user was trying to (re)connect too often - too fast;
2- a genuine attempt to gain access by malicious party.

"1" can be identified by comparing the ip's of legit logins with the suspected DoS attackers IP in the log.
Barring ip-spoofing, only 2 is really bad. ("1" can be avoided by configuration)

To avoid being hacked, generally some things do spring to mind:
-Use AdminIP.txt;
-Disabe Webif;
-Disable unused services;
-Disable unused access ports;
-Change to non-standard port;
-Avoid using DDNS, hackers love those...

(Depending on situation, some routers may actually even stealth the open ports for common port-scans)

And if all else fails, there is even a setting in the SE configfile that disables the DoS detection: bool DisableDosProction
(not recommended)

Good luck.

[user65235211]

For situation #1: Is there a way to whitelist the IP address of the legitimate user? In our case, we had to turn off DoS Protection because we had multiple users (endpoints) sitting at the same office which was causing DoS Protection to be trigger and blocking some connections.