A DoS attack on the TCP Listener

superma333 · Post by **superma333** » Tue Sep 24, 2019 8:50 am

Hi All

Today I found some strange behavior of our Softether VPN server: Some of our remote clients stop to connect to the server and after reading the Server's log I found some errors, that comes from IPs that our remote VPN clients should to connect from: A error is "A DoS attack on the TCP Listener (port 992) has been detected" followed by IP of from client network.

Do you have any other tips/ideas that could help me?

Leo

ozone · Post by **ozone** » Tue Sep 24, 2019 11:12 pm

Hi Leo,

I've seen this in 2 different situations.
1- (legitimate) user was trying to (re)connect too often - too fast;
2- a genuine attempt to gain access by malicious party.

"1" can be identified by comparing the ip's of legit logins with the suspected DoS attackers IP in the log.
Barring ip-spoofing, only 2 is really bad. ("1" can be avoided by configuration)

To avoid being hacked, generally some things do spring to mind:
-Use AdminIP.txt;
-Disabe Webif;
-Disable unused services;
-Disable unused access ports;
-Change to non-standard port;
-Avoid using DDNS, hackers love those...

(Depending on situation, some routers may actually even stealth the open ports for common port-scans)

And if all else fails, there is even a setting in the SE configfile that disables the DoS detection: bool DisableDosProction
(not recommended)

Good luck.

A DoS attack on the TCP Listener

A DoS attack on the TCP Listener

Re: A DoS attack on the TCP Listener