Allowing a UDP DDoS is better then deny it.
All Replies
-
Hello @peterUK,This has to be explained in terms of the hardware switch, WAN1/2 and P5(WAN3) are not on the same switch on USG60.If you bridge WAN1/2 with P6(DMZ), they're from different switches.If you bridge P5(WAN3) with P6(DMZ), they're on the same switch, and the performance should be better because it doesn't need to forward the traffic from one switch to another.James0
-
Ok that makes some what more sense....but if its blocking on one switch WAN1/2 with P6(DMZ) then no need to forward the traffic from one switch to another...performance should be the same as bridge P5(WAN3) with P6(DMZ)?
Thanks
0 -
Keeps getting interesting...so I setup the USG60 like the USG60W for the bridge and the USG60 still buffers with the UDP...so must be something that the USG60 is doing that the USG60W is not...
0 -
Think I found the reason its to do with WILDCARD FQDN that the Zywall passively inspects as when I run with no rules with WILDCARD FQDN its fine.
My thinking is this the Zywall even with drop rule is still doing the passively inspection for DNS BUT its doing it for ALL ports source and destination! So when I do the UDP DDoS its trying to see if they are DNS queries.
So as DNS 99.9% of the time DNS is source port ANY to destination port 53 and source port 53 to destination port ANY could this be coded in the Zywall to limit the inspection?
0 -
Hello @peterUK,I don't it's likely the root cause. If so, the video lag should also happen when you bridge the interfaces within the same switch.You can try to write in this CLI "session-status-update security-secu-policy inactivate" for your concern, thanks.James0
-
By default "session-status-update secure-policy" is inactivate.
I guess in newer models I would like to see the device handles UDP DDoS better as it does TCP.0 -
@PeterUK
it's confirmed that the command "session-status-update secure-policy" is active by default.0 -
it's confirmed that the command "session-status-update secure-policy" is active by default. Moreover, "session-status-update secure-policy" is for preventing DNS TTL from timeout, and blocking sessions when security policy that includes FQDN object.In conclusion, with wildcard FQDN settings, the CPU performance will be affected if the DDOS UDP attacks are in the form of DNS query for sure, and also, DDOS UDP will occupy the bandwidth too.0
-
By default it is inactivate you can test this in a config thats not been set for it when you do
session-status-update secure-policy inactivate
write
Download the config and look at it the setting does not show meaning thats the default when TTL goes to 0 and the IP listing is removed if a active session is still up the firewall still allows it till the session ends.
When session-status-update secure-police is activate when TTL goes to 0 and the IP listing is removed the active session is blocked.
0
Zyxel Employee
Guru Member
Categories
- All Categories
- 396 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 81 Nebula Status and Incidents
- 5.1K Security
- 86 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 915 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 211 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2K FAQ
- 912 Nebula FAQ
- 419 Security FAQ
- 237 Switch FAQ
- 207 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 139 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 62 Security Highlight
