USG60 Udp flood

detractor
detractor Posts: 7  Freshman Member
First Comment
edited April 2021 in Security



The usg60 device. When udp flood to the port, this device falls. The CPU is 100% loaded. Could it be possible to reflect the attacks differently? Thank you.

I wanted to block ip. Maybe I'm doing something wrong?


«1

Comments

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 2018

    If its a full on DoS by UPnP reflection attack then their might be nothing you can do about it...

    You can try putting a switch between your modem and USG 60 and make a ACL rule to drop UDP source port 1900 but it might not help.

    On another note that rule 2 for all_ips from WAN to any looks to be a bad rule.

    And going by your log you seem to be double Natting?

    also logging may add to CPU load  

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @detractor,
    If it have large amount attack traffic continuously, I would suggest to disable the log on Security rule#1 temporarily,
    because the device keep on writing the log, which will consume the CPU loading.
  • detractor
    detractor Posts: 7  Freshman Member
    First Comment
    PeterUK said:

    If its a full on DoS by UPnP reflection attack then their might be nothing you can do about it...

    You can try putting a switch between your modem and USG 60 and make a ACL rule to drop UDP source port 1900 but it might not help.

    On another note that rule 2 for all_ips from WAN to any looks to be a bad rule.

    And going by your log you seem to be double Natting?

    also logging may add to CPU load  


    without the second rule, I can not connect from wan to RDP and other service
  • detractor
    detractor Posts: 7  Freshman Member
    First Comment
    Sory it is not true =)detractor said:
    PeterUK said:

    If its a full on DoS by UPnP reflection attack then their might be nothing you can do about it...

    You can try putting a switch between your modem and USG 60 and make a ACL rule to drop UDP source port 1900 but it might not help.

    On another note that rule 2 for all_ips from WAN to any looks to be a bad rule.

    And going by your log you seem to be double Natting?

    also logging may add to CPU load  


    without the second rule, I can not connect from wan to RDP and other service

  • detractor
    detractor Posts: 7  Freshman Member
    First Comment
    PeterUK said:

    If its a full on DoS by UPnP reflection attack then their might be nothing you can do about it...

    You can try putting a switch between your modem and USG 60 and make a ACL rule to drop UDP source port 1900 but it might not help.

    On another note that rule 2 for all_ips from WAN to any looks to be a bad rule.

    And going by your log you seem to be double Natting?

    also logging may add to CPU load  

    no port drop source in usg60
  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 2018

    That why I said put a switch between your modem and USG 60 and make a ACL on the switch.

    As for RDP you can make a rule from WAN to LAN1 or the port RDP PC is connected to with service to the RDP normally port 3389.

  • detractor
    detractor Posts: 7  Freshman Member
    First Comment

    It's about udp flooding. The number of sessions is growing. How do I disable them?
  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    If someone is out to get you by a DoS from some UPnP enabled router exposed on the WAN side which it looks to be not much you can do but change your IP? can your ISP modem be put into modem mode or bridge mode? 

    Have you tried changing the log to no? Also change the log in ADP to no for UDP flood.

  • detractor
    detractor Posts: 7  Freshman Member
    First Comment


    To be more precise. There is a service www.ipstresser.com .Specify ip and udp port. Well, usg60 hangs. log turned off
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @detractor,

    You may try reduce the threshold from 1000 to something lower.


    If the CPU still goes high, please help me to get the following CLI result.

    Router# show cpu all

    Router# debug system ps | match "zylogger"

    Router# debug system show cpu status

    Router# show cpu average






Security Highlight