So many alerts "abnormal udp traffic detected, source port is zero" from LAN to WAN
Hello everyone,
Most of my customers use Zyxel Firewall. Few weeks ago, one of them start to generate many alerts "abnormal udp traffic detected, source port is zero". Alerts are from LAN only to Zywall, like :
No. Date/Time Source Destination Priority Category Note2023-02-27 14:01:42 “computer_local_ip:52276” “zywall_local_IP”alert secure-policy ACCESS BLOCK abnormal udp traffic detected, destination port is zero, DROP
I tried to scan traffic but it seems that this UDP packets are empty. I tried to not log this alert, but no success.
Few days ago, 2 others customers (totally unrelated) start to have the exact same alerts, always from a random (but legit) computer on their LAN to their own Zywall. Yesterday I receveid as many as 100 alert by e-mails from the Zywall for one of them. Some day I received many alerts, some days just a few.
I found in an old topic on this forum that this alerts seems to be impossible to stop :
When device receives a UDP/TCP packet with source port zero or destination port zero, the device will drop this packet and generate a log.
This behavior is a MUST for ICSA firewall certification, so the logs cannot be turned off and it is not configurable.
Do I need to be worried about this alerts ? I mean this computers are on my customers LAN, and I didn't found anything weird on this computers right now, but I can imagine this alerts are not normal. Is there a way to block them ?
Thanks !
All Replies
-
Malformed and particularly empty UDP packets are likely to originate from misbehaving software, often very difficult to trace. Anything short of giving the email alerts lower priority, if they have a unique Subject line, is difficult to suggest from my side. Should those messages continue for more than a few seconds, I can only suggest some form of remote reboot of the source computer, to stop the incorrect behaviour.
0 -
Hi @rlacti
You are correct that it was defined by the ICSA certification. Therefore, the system must generate a log entry when an abnormal packet is received.
However, it may cause the firewall to send a lot of alert mails. so we have reduced the log level to "notification" without triggering alert mails.
You could download 4.73WK50 firmware to prevent this situation.
0 -
Hello, I have exactly the same scenario as you, a USG 50 FLEX device, it happens completely randomly. I tried to completely delete one of the computers and I also changed the network card on it, but after about a day zywall generate again from this IP "abnormal udp traffic detected, destination port is zero" USG50 FLex is new with new firmware. Was plugged online after newest update. Did you still recieve this alerts ? Thank you for help
0 -
Hi @John_Hou ,
You can capture packets on that host to see if it is indeed send packets with dst port zero
0 -
Thanks for reply any how could i do it ? some network tool for packet analysis ?
0 -
0
Master Member
Zyxel Employee
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
