A DoS attack on the TCP Listener

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
superma333
Posts: 5
Joined: Mon Sep 02, 2019 9:44 am

A DoS attack on the TCP Listener

Post by superma333 » Tue Sep 24, 2019 8:50 am

Hi All

Today I found some strange behavior of our Softether VPN server: Some of our remote clients stop to connect to the server and after reading the Server's log I found some errors, that comes from IPs that our remote VPN clients should to connect from: A error is "A DoS attack on the TCP Listener (port 992) has been detected" followed by IP of from client network.

Do you have any other tips/ideas that could help me?

Leo
You do not have the required permissions to view the files attached to this post.

ozone
Posts: 65
Joined: Thu Sep 19, 2019 7:18 pm

Re: A DoS attack on the TCP Listener

Post by ozone » Tue Sep 24, 2019 11:12 pm

Hi Leo,

I've seen this in 2 different situations.
1- (legitimate) user was trying to (re)connect too often - too fast;
2- a genuine attempt to gain access by malicious party.

"1" can be identified by comparing the ip's of legit logins with the suspected DoS attackers IP in the log.
Barring ip-spoofing, only 2 is really bad. ("1" can be avoided by configuration)

To avoid being hacked, generally some things do spring to mind:
-Use AdminIP.txt;
-Disabe Webif;
-Disable unused services;
-Disable unused access ports;
-Change to non-standard port;
-Avoid using DDNS, hackers love those...

(Depending on situation, some routers may actually even stealth the open ports for common port-scans)

And if all else fails, there is even a setting in the SE configfile that disables the DoS detection: bool DisableDosProction
(not recommended)

Good luck.

user65235211
Posts: 2
Joined: Sat Sep 07, 2019 5:39 pm

Re: A DoS attack on the TCP Listener

Post by user65235211 » Mon Dec 28, 2020 5:58 pm

For situation #1: Is there a way to whitelist the IP address of the legitimate user? In our case, we had to turn off DoS Protection because we had multiple users (endpoints) sitting at the same office which was causing DoS Protection to be trigger and blocking some connections.

Post Reply