Allowing a UDP DDoS is better then deny it.
Guru Member
Bit of a odd one tested with USG 60 V4.73 (may happen to older firmware) with a simple DMZ to WAN bridge.
The USG60 is said to have SPI firewall throughput of 1000Mb but that more like 400Mb TCP
With the default deny rule and only DMZ to WAN I run a video stream and a DDoS to the WAN with UDP many source IP's ports and packet sizes at 110Mb. This causes the video stream to buffer. But if I allow any IP WAN to DMZ all UDP ports with the same test the video stream stays running.
And ADP is disabled
Why is that?
Best Answers
-
Hello @PeterUK,UDP is a connectionless protocol, and UDP flood attack does not have such a mechanism as TCP ACK. When suffering a great amount of UDP packets, it may cause bandwidth saturation, resulting in other services cannot access the victim device.James0
-
Hello @peterUK,This has to be explained in terms of the hardware switch, WAN1/2 and P5(WAN3) are not on the same switch on USG60.If you bridge WAN1/2 with P6(DMZ), they're from different switches.If you bridge P5(WAN3) with P6(DMZ), they're on the same switch, and the performance should be better because it doesn't need to forward the traffic from one switch to another.James0
Zyxel EmployeeAll Replies
-
With the default deny rule and only DMZ to WAN I run a video stream and a DDoS to the WAN with UDP many source IP's ports and packet sizes at 110Mb. This causes the video stream to buffer. But if I allow any IP WAN to DMZ all UDP ports with the same test the video stream stays running.Hello @PeterUK,Since DMZ and WAN are bridged, the performance depends on who processes the traffic. With default_deny_rule, it will be processed by USG. If you allow all UDP ports, it will be processed by the computer.In other words, it's normal that the performance becomes slow because the firewall takes charge to process the DDOS traffic. When DDOS traffic is allowed, the firewall doesn't need to process the traffic then the performance of the streaming video will be better than deny.James0
-
But this is what I don't get packets comes in with nothing mapped to is dropped by the default rule this to me would seem less processing needed to do that than allowing it and pushing it out the DMZ port?
0 -
Hello @PeterUK,As I mentioned, the performance depends on which device takes the process of the stream video traffic, in your test, the firewall needs to process the traffic and DDOS attack at the same time, resulting in the performance would be affected.And if you allow the DDOS traffic, then it will be processed by the computer, it won't affect the performance of the firewall.0
-
Ok but there is one problem with what you say...IF I do a TCP DDOS attack then the USG60 is fine when watching a 4K video...so how do you explain that?
0 -
Hello @PeterUK,UDP is a connectionless protocol, and UDP flood attack does not have such a mechanism as TCP ACK. When suffering a great amount of UDP packets, it may cause bandwidth saturation, resulting in other services cannot access the victim device.James0
-
Maybe its a hardware or firmware level handling I don't get so I will accept your answer.
UDP however is not a connectionless when the USG handles it by SPI as the USG does know the connection going out to allow the incoming or incoming to allow out under a rule.
This dose however mean that Zyxel can not handle UDP DDoS that well as meaning the device has to be more powerful at a given DDoS bandwidth level.
0 -
@Zyxel_James
Here is where things get odder I have a USG60W but needed to do a bridge without using WAN1 or WAN2 so made P5 WAN3 with P6 DMZ as a bridge the same test as above means I can watch 4K with a UDP DDoS! so whats the logic their? maybe doing a bridge external to internal is a problem?0 -
Hello @peterUK,May I know how you perform the test? I would like to know more information about your test. Please provide your WAN3 and bridge settings, and which tool you generate the DDOS traffic. Moreover, how do you watch the video? Thanks.0
-
How I do the DDoS is bioproduct of my setup when doing BitTorrent in short the setup works a bit like Docsis but under the same MAC where by a VLAN switch acks like a hub without conflict I will do a simple layout later to day.
0 -
Ok here is a cut down of my setup for test UDP DDoS with BitTorrent.
So if a watch a YouTube Video like https://www.youtube.com/watch?v=VnLdOcDNTe0&t=7287s
The BWM gives priority for this traffic watching on USG60W with the download by Zywall 110 it does not buffer but on the USG60 it does.
The only conclusion I have is that a bridge with external to internal has a performance impact then a bridge internal to internal?
https://us.v-cdn.net/6029482/uploads/editor/th/hz8btzmysp33.png
0
Categories
- All Categories
- 384 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 79 Nebula Status and Incidents
- 5.1K Security
- 70 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 332 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 886 Nebula FAQ
- 415 Security FAQ
- 228 Switch FAQ
- 198 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 63 Security Highlight
