126.96.36.199 - "Im"-Possible UDP flood attack detected
while tinkering with the Flood Protection I came across some log entries which causing some confusion.
For UDP flood protection I've had the Parameter "UDP Flood Attack Threshold (UDP Packets / Sec):" set to 10000, which looked like a reasonable value to me in my environment.
In the log I was able to see "Possible UDP flood attack detected" events which mentioned detected values like this: Most active attacker information: x.x.x.x:38145 -> y.y.y.y:514 (1219486 pkts).
This is IMHO impossible, because x.x.x.x is a simple SIP phone sending some syslog messages to y.y.y.y. For that specific day I had only 133000 events on the syslog server store.
1.2M packets in a second would have set my Yealink phone on fire I guess.
Many other flood attack related log entries showing high numbers which do not seem to be right.
Can anyone shed some light on this?
The flood protection/detection looks at the numbers of packets coming in or going out from the same IP in a specified time.
///UDP Flood Attack Threshold (UDP Packets / Sec): 10000
if the firewall gets 10000 UDP packets from the same IP within 2 Seconds
///UDP Flood Attack Blocking Time (Sec): 2
it will block all UDP packets coming from the IP for 30 Seconds
///Default UDP Connection Timeout (seconds): 30
This can of course cause issues in some UDP communications, for example with Skype, teams and SIP/VoIP.
That is why you can or should include/exclude some IP addresses from the UDP flood protection.
///UDP Flood Attack Protected Destination List: Any (default)
Keep in mind, syslogs are sent in UDP as well
@Michael_Bischof thanks for the reply, but my Phone is probably not capable to generate 1.2M syslog events in two seconds, any other possible explanation?
The syslog from my phone holds approx 130 K events for the whole day, how could Flood protection complain about 1.2M packets in a 2 second window?
Also, don't forget that a single syslog message may be broken up into multiple individual packets. So 1 log message may actually be broken up into 8 packets because of MTU / Windows Sizing / Etc.
@TKWITS I dissected all stored messages and there was a few times a peak of around 300 messages per second over the day, but the maximum length was not higher than 394, no fragmentation needed.
No matter what I do, I do not come even close the the 1.2M packets the Flood protection is reporting.
I wonder if its incorrectly reporting the AMOUNT of data rather than the number of packets...
@TKWITS I dunno, something is up, but as long I'am the only one I have to live with it.
I had to disable Flood Protection anyways, because I wanna make sure that Vodafone fixes my connection first and I don't want to look at the wrong end.
Was there ever a solution found for this? I have a firewall experiencing UDP floods with their phones also, we have had to set the global UDP check to 50000 second to have consistent communications. There are only 12 phones in this installation, it is not realistic to have 50k UDP / seconds. It is not supported by packet captures.
@DatalinkAdam sorry, I gave up on that for now.