Allowing a UDP DDoS is better then deny it.

2»

All Replies

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Answer ✓
    Hello @peterUK,
    This has to be explained in terms of the hardware switch, WAN1/2 and P5(WAN3) are not on the same switch on USG60.
    If you bridge WAN1/2 with P6(DMZ), they're from different switches.
    If you bridge P5(WAN3) with P6(DMZ), they're on the same switch, and the performance should be better because it doesn't need to forward the traffic from one switch to another.

    James
  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited December 2022

    Ok that makes some what more sense....but if its blocking on one switch WAN1/2 with P6(DMZ) then no need to forward the traffic from one switch to another...performance should be the same as bridge P5(WAN3) with P6(DMZ)?

    Thanks


  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Keeps getting interesting...so I setup the USG60 like the USG60W for the bridge and the USG60 still buffers with the UDP...so must be something that the USG60 is doing that the USG60W is not...


  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    @Zyxel_James

    Think I found the reason its to do with WILDCARD FQDN that the Zywall passively inspects as when I run with no rules with WILDCARD FQDN its fine.

    My thinking is this the Zywall even with drop rule is still doing the passively inspection for DNS BUT its doing it for ALL ports source and destination! So when I do the UDP DDoS its trying to see if they are DNS queries.

    So as DNS 99.9% of the time DNS is source port ANY to destination port 53 and source port 53 to destination port ANY could this be coded in the Zywall to limit the inspection?


  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Hello @peterUK,
    I don't it's likely the root cause. If so, the video lag should also happen when you bridge the interfaces within the same switch.

    You can try to write in this CLI "session-status-update security-secu-policy inactivate" for your concern, thanks.

    James
  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited December 2022
    By default  "session-status-update secure-policy" is inactivate.

    I guess in newer models I would like to see the device handles UDP DDoS better as it does TCP.
  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    @PeterUK
    it's confirmed that the command "session-status-update secure-policy" is active by default.
  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    it's confirmed that the command "session-status-update secure-policy" is active by default. Moreover, "session-status-update secure-policy" is for preventing DNS TTL from timeout, and blocking sessions when security policy that includes FQDN object.

    In conclusion, with wildcard FQDN settings, the CPU performance will be affected if the DDOS UDP attacks are in the form of DNS query for sure, and also, DDOS UDP will occupy the bandwidth too.
  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    By default it is inactivate you can test this in a config thats not been set for it when you do

    session-status-update secure-policy inactivate

    write

    Download the config and look at it the setting does not show meaning thats the default when TTL goes to 0 and the IP listing is removed if a active session is still up the firewall still allows it till the session ends.

    When session-status-update secure-police is activate when TTL goes to 0 and the IP listing is removed the active session is blocked.