TP-Link DoS protection blocks Bonjour

Question

We have an Apple-centric office and as such we rely on Bonjour (mDNS) for auto-discovery of things like printers, AirPlay targets, and pseudo-servers (e.g. exchanging files between desktop computers).

I just installed a TP-Link T1600G L2+ switch as our core switch as a step to help manage the network as we embrace IPv6 and the proliferation of Internet-connected devices. (Eventually I want to be able to have guests sign into our WiFi, access the internet, and also access the Apple TV/AirPlay in our conference rooms, but not access any of our other internal resources, for example, but I understand that will take a full Level 3 router (on order), and that will be a different post if I run into trouble.)

For now, I just installed the T1600G, plugged the WAN router/NAT/DHCP server, all our dumb L2 switches and wireless APs, our main servers, and our IoT devices into it (intending to isolate the APs and IoT stuff via VLANs later). But I haven't even gotten as far as setting up a VLAN and already I've broken something.

In particular, I've found that enabling the T1600G "DoS Defend" protection, firmware version "1.0.3 Build 20160412 Rel.43154(s)", blocks Bonjour somehow, but I can't figure out how or why or what to do about it (other than leave the DoS protections turned off). I'm not even sure how to diagnose the problem because I don't know how to force a Bonjour advertisement to be issued.

Is there something about IPv6 multicast that looks like IPv4 DoS attack?

Update

I called TP-Link business technical support. They didn't know what Bonjour was and hung up on me.

Answer 1

The problem was the "Blat Attack" filter. A Blat Attack is a specialization of a "Land Attack", but somehow the filter evolved only to check for the specialization, not the full blown attack. In detail...

A "Land Attack" is when an attacker sends a spoofed TCP SYN packet containing the IP address of the victim as both the destination and the source IP address. The vulnerable system ends up replying to itself in a feedback loop. A "Blat Attack" is an "improvement" on the Land Attack, adding that the source and destination ports are identical, and sometimes abusing the URG flag as well.

Well, somewhere along the line someone thought that it was always malicious to send an IP packet with the same source and destination port, so the Blat Attack defense just blocks any IP packet with the same source and destination port, even though there is absolutely nothing wrong with that if the source and destination addresses are different.

Bonjour (mDNS) sends announcements both to and from the same port (5353), and the Blat Attack defense stops those packets from being forwarded. Since the Blat Attack filter is truly useless in its current implementation (Blat Attacks would be stopped by the Land Attack filter anyway), there is no reason not to turn it off, so I did, and that solved the problem.