18.104.22.168 - "Im"-Possible UDP flood attack detected
while tinkering with the Flood Protection I came across some log entries which causing some confusion.
For UDP flood protection I've had the Parameter "UDP Flood Attack Threshold (UDP Packets / Sec):" set to 10000, which looked like a reasonable value to me in my environment.
In the log I was able to see "Possible UDP flood attack detected" events which mentioned detected values like this: Most active attacker information: x.x.x.x:38145 -> y.y.y.y:514 (1219486 pkts).
This is IMHO impossible, because x.x.x.x is a simple SIP phone sending some syslog messages to y.y.y.y. For that specific day I had only 133000 events on the syslog server store.
1.2M packets in a second would have set my Yealink phone on fire I guess.
Many other flood attack related log entries showing high numbers which do not seem to be right.
Can anyone shed some light on this?