So many alerts "abnormal udp traffic detected, source port is zero" from LAN to WAN

Options

Hello everyone,

Most of my customers use Zyxel Firewall. Few weeks ago, one of them start to generate many alerts "abnormal udp traffic detected, source port is zero". Alerts are from LAN only to Zywall, like :

No. Date/Time Source Destination Priority Category Note2023-02-27 14:01:42 “computer_local_ip:52276” “zywall_local_IP”alert secure-policy ACCESS BLOCK abnormal udp traffic detected, destination port is zero, DROP

I tried to scan traffic but it seems that this UDP packets are empty. I tried to not log this alert, but no success.

Few days ago, 2 others customers (totally unrelated) start to have the exact same alerts, always from a random (but legit) computer on their LAN to their own Zywall. Yesterday I receveid as many as 100 alert by e-mails from the Zywall for one of them. Some day I received many alerts, some days just a few.

I found in an old topic on this forum that this alerts seems to be impossible to stop :

When device receives a UDP/TCP packet with source port zero or destination port zero, the device will drop this packet and generate a log.
This behavior is a MUST for ICSA firewall certification, so the logs cannot be turned off and it is not configurable.

Do I need to be worried about this alerts ? I mean this computers are on my customers LAN, and I didn't found anything weird on this computers right now, but I can imagine this alerts are not normal. Is there a way to block them ?

Thanks !

All Replies

  • smb_corp_user
    smb_corp_user Posts: 161  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Malformed and particularly empty UDP packets are likely to originate from misbehaving software, often very difficult to trace. Anything short of giving the email alerts lower priority, if they have a unique Subject line, is difficult to suggest from my side. Should those messages continue for more than a few seconds, I can only suggest some form of remote reboot of the source computer, to stop the incorrect behaviour.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,374  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @rlacti

    You are correct that it was defined by the ICSA certification. Therefore, the system must generate a log entry when an abnormal packet is received.

    However, it may cause the firewall to send a lot of alert mails. so we have reduced the log level to "notification" without triggering alert mails.

    You could download 4.73WK50 firmware to prevent this situation.

  • John_Hou
    John_Hou Posts: 2
    Friend Collector First Comment
    edited June 2023
    Options
    Hello, I have exactly the same scenario as you, a USG 50 FLEX device, it happens completely randomly.
    I tried to completely delete one of the computers and I also changed the network card on it, but after
    about a day zywall generate again from this IP
    "abnormal udp traffic detected, destination port is zero"
    USG50 FLex is new with new firmware. Was plugged online after newest update.
    Did you still recieve this alerts ? Thank you for help
    

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,462  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @John_Hou ,

    You can capture packets on that host to see if it is indeed send packets with dst port zero

  • John_Hou
    John_Hou Posts: 2
    Friend Collector First Comment
    Options

    Thanks for reply any how could i do it ? some network tool for packet analysis ?

  • PeterUK
    PeterUK Posts: 2,865  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

Security Highlight