So many alerts "abnormal udp traffic detected, source port is zero" from LAN to WAN

rlacti · February 2023

Hello everyone,

Most of my customers use Zyxel Firewall. Few weeks ago, one of them start to generate many alerts "abnormal udp traffic detected, source port is zero". Alerts are from LAN only to Zywall, like :

No. Date/Time Source Destination Priority Category Note2023-02-27 14:01:42 “computer_local_ip:52276” “zywall_local_IP”alert secure-policy ACCESS BLOCK abnormal udp traffic detected, destination port is zero, DROP

I tried to scan traffic but it seems that this UDP packets are empty. I tried to not log this alert, but no success.

Few days ago, 2 others customers (totally unrelated) start to have the exact same alerts, always from a random (but legit) computer on their LAN to their own Zywall. Yesterday I receveid as many as 100 alert by e-mails from the Zywall for one of them. Some day I received many alerts, some days just a few.

I found in an old topic on this forum that this alerts seems to be impossible to stop :

When device receives a UDP/TCP packet with source port zero or destination port zero, the device will drop this packet and generate a log.
This behavior is a MUST for ICSA firewall certification, so the logs cannot be turned off and it is not configurable.

Do I need to be worried about this alerts ? I mean this computers are on my customers LAN, and I didn't found anything weird on this computers right now, but I can imagine this alerts are not normal. Is there a way to block them ?

Thanks !

smb_corp_user · February 2023

Malformed and particularly empty UDP packets are likely to originate from misbehaving software, often very difficult to trace. Anything short of giving the email alerts lower priority, if they have a unique Subject line, is difficult to suggest from my side. Should those messages continue for more than a few seconds, I can only suggest some form of remote reboot of the source computer, to stop the incorrect behaviour.

Zyxel_Stanley · March 2023

Hi @rlacti

You are correct that it was defined by the ICSA certification. Therefore, the system must generate a log entry when an abnormal packet is received.

However, it may cause the firewall to send a lot of alert mails. so we have reduced the log level to "notification" without triggering alert mails.

You could download 4.73WK50 firmware to prevent this situation.

John_Hou · June 2023

https://community.zyxel.com/en/discussion/16112/so-many-alerts-abnormal-udp-traffic-detected-source-port-is-zero-from-lan-to-wan

Hello, I have exactly the same scenario as you, a USG 50 FLEX device, it happens completely randomly.
I tried to completely delete one of the computers and I also changed the network card on it, but after
about a day zywall generate again from this IP
"abnormal udp traffic detected, destination port is zero"
USG50 FLex is new with new firmware. Was plugged online after newest update.
Did you still recieve this alerts ? Thank you for help