Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 3 subscribers
  • Views 7057 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS exceptions not working - UDP flood detected

Sam Malone

We are having an issue with our UTM 9.605-1 device. We have user reports of poor connection quality when using video conference and web-browser based phone calling services (Twilio).

We have the IPS enabled globally, and we have UDP flood protection enabled with settings:

We were experiencing some logging of "name="UDP flood detected" action="UDP flood" fwrule="60013" in the logfile, so I made the decision to enter an exception for inbound and outbound traffic using these various TCP and UDP ports:

But the UDP flood detected messages were still appearing in the log file.  So then I attempted to disable the offending UDP flooding rule, specifically: fwrule="60013" as follows:

But even after that I am still seeing UDP flood detected messages in the log file regarding that same fwrule:

2020:02:06-10:16:13 utm-2 ulogd[17598]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="173.194.162.140" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="49277"
2020:02:06-10:16:13 utm-2 ulogd[17598]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="173.194.162.140" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="49277"
2020:02:06-10:16:14 utm-2 ulogd[17598]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="173.194.162.140" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="49277"

in the above example, 209.131.229.254="External (WAN) - Jaguar Comm (Address)" so it should be in my exception list AND the rule 60013 should be disabled anyway.  It appears as though the exceptions listed, as well as completely disabling the rule in the advanced section have no effect.

Can someone shed some light on my situation? Thanks.



This thread was automatically locked due to age.
Parents
  • 0

    The rule# 60013 is for UDP flood protection.

    60013 raw:PREROUTING Drop UDP_FLOOD attempts LOG and DROP

    But the rule ID you entered in Modified rules, is for IPS and these are two different things. But I'm still not sure why IPS exception is not applied. Have you tried creating an exception only for the ports and not specifying the source and destination?

    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    I've done some more looking into this issue. I think I've identified the issue.

    I created a new rule without any network or address definitions:

    But I'm still getting hundreds of UDP flood blocking, see the log below. But notice how the rule says "using these services: TCP/UDP 443". I believe this rule will only match when the DESTINATION port is 443.  But notice below how we have UDP (proto 17) port 443 is responding to the ephemeral port number of the UTM device, and this appears as the "srcport="443"".

    Is this a bug?  I suspect it is, because I would expect the UTM exception to respect a filter on SRC and DST ports, especially in the instance of legitimate UDP responses as seen below.

    2020:02:10-10:29:27 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:27 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:27 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:28 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:28 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:28 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:28 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:29 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:29 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:29 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:29 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:29 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:30 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:30 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"

Reply
  • 0 in reply to Jaydeep

    I've done some more looking into this issue. I think I've identified the issue.

    I created a new rule without any network or address definitions:

    But I'm still getting hundreds of UDP flood blocking, see the log below. But notice how the rule says "using these services: TCP/UDP 443". I believe this rule will only match when the DESTINATION port is 443.  But notice below how we have UDP (proto 17) port 443 is responding to the ephemeral port number of the UTM device, and this appears as the "srcport="443"".

    Is this a bug?  I suspect it is, because I would expect the UTM exception to respect a filter on SRC and DST ports, especially in the instance of legitimate UDP responses as seen below.

    2020:02:10-10:29:27 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:27 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:27 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:28 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:28 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:28 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:28 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:29 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:29 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:29 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:29 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:29 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:30 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"
    2020:02:10-10:29:30 utm-2 ulogd[8750]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth4" srcmac="64:64:9b:56:44:00" dstmac="00:1a:8c:f0:6e:e4" srcip="74.125.159.25" dstip="209.131.229.254" proto="17" length="1378" tos="0x00" prec="0x00" ttl="61" srcport="443" dstport="55470"

Children
Unfiltered HTML