Allowing a UDP DDoS is better then deny it.

PeterUK
PeterUK Posts: 3,461  Guru Member
100 Answers 2500 Comments Friend Collector Seventh Anniversary
edited December 2022 in Security

Bit of a odd one tested with USG 60 V4.73 (may happen to older firmware) with a simple DMZ to WAN bridge.

The USG60 is said to have SPI firewall throughput of 1000Mb but that more like 400Mb TCP

With the default deny rule and only DMZ to WAN I run a video stream and a DDoS to the WAN with UDP many source IP's ports and packet sizes at 110Mb. This causes the video stream to buffer. But if I allow any IP WAN to DMZ all UDP ports with the same test the video stream stays running.

And ADP is disabled

Why is that?

Best Answers

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Answer ✓
    Hello @PeterUK,
    UDP is a connectionless protocol, and UDP flood attack does not have such a mechanism as TCP ACK. When suffering a great amount of UDP packets, it may cause bandwidth saturation, resulting in other services cannot access the victim device.

    James
  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Answer ✓
    Hello @peterUK,
    This has to be explained in terms of the hardware switch, WAN1/2 and P5(WAN3) are not on the same switch on USG60.
    If you bridge WAN1/2 with P6(DMZ), they're from different switches.
    If you bridge P5(WAN3) with P6(DMZ), they're on the same switch, and the performance should be better because it doesn't need to forward the traffic from one switch to another.

    James
«1

All Replies

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    With the default deny rule and only DMZ to WAN I run a video stream and a DDoS to the WAN with UDP many source IP's ports and packet sizes at 110Mb. This causes the video stream to buffer. But if I allow any IP WAN to DMZ all UDP ports with the same test the video stream stays running.
    Hello @PeterUK,
    Since DMZ and WAN are bridged, the performance depends on who processes the traffic. With default_deny_rule, it will be processed by USG. If you allow all UDP ports, it will be processed by the computer.
    In other words, it's normal that the performance becomes slow because the firewall takes charge to process the DDOS traffic. When DDOS traffic is allowed, the firewall doesn't need to process the traffic then the performance of the streaming video will be better than deny.

    James
  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    But this is what I don't get packets comes in with nothing mapped to is dropped by the default rule this to me would seem less processing needed to do that than allowing it and pushing it out the DMZ port?


  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Hello @PeterUK,
    As I mentioned, the performance depends on which device takes the process of the stream video traffic, in your test, the firewall needs to process the traffic and DDOS attack at the same time, resulting in the performance would be affected.
    And if you allow the DDOS traffic, then it will be processed by the computer, it won't affect the performance of the firewall.
  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited December 2022

    Ok but there is one problem with what you say...IF I do a TCP DDOS attack then the USG60 is fine when watching a 4K video...so how do you explain that?


  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Answer ✓
    Hello @PeterUK,
    UDP is a connectionless protocol, and UDP flood attack does not have such a mechanism as TCP ACK. When suffering a great amount of UDP packets, it may cause bandwidth saturation, resulting in other services cannot access the victim device.

    James
  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited December 2022

    Maybe its a hardware or firmware level handling I don't get so I will accept your answer.

    UDP however is not a connectionless when the USG handles it by SPI as the USG does know the connection going out to allow the incoming or incoming to allow out under a rule.   

    This dose however mean that Zyxel can not handle UDP DDoS that well as meaning the device has to be more powerful at a given DDoS bandwidth level.


  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited December 2022
    @Zyxel_James

    Here is where things get odder I have a USG60W but needed to do a bridge without using WAN1 or WAN2 so made P5 WAN3 with P6 DMZ as a bridge the same test as above means I can watch 4K with a UDP DDoS! so whats the logic their? maybe doing a bridge external to internal is a problem?
  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Hello @peterUK,
    May I know how you perform the test? I would like to know more information about your test. Please provide your WAN3 and bridge settings, and which tool you generate the DDOS traffic. Moreover, how do you watch the video? Thanks.
  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    How I do the DDoS is bioproduct of my setup when doing BitTorrent in short the setup works a bit like Docsis but under the same MAC where by a VLAN switch acks like a hub without conflict I will do a simple layout later to day.

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited December 2022

    Ok here is a cut down of my setup for test UDP DDoS with BitTorrent.

    So if a watch a YouTube Video like https://www.youtube.com/watch?v=VnLdOcDNTe0&t=7287s

    The BWM gives priority for this traffic watching on USG60W with the download by Zywall 110 it does not buffer but on the USG60 it does.

    The only conclusion I have is that a bridge with external to internal has a performance impact then a bridge internal to internal?

    https://us.v-cdn.net/6029482/uploads/editor/th/hz8btzmysp33.png