Anomaly - udp_flood

Forum|Forum|2 years ago
November 30, 2023
2 replies
3904 views

Hello forum,

We got a lot of Anomalies with udp_flood attack base.

Is this something we should worry about, what is the best practices on trying to resolve if those attacks like anomalies, intrusion preventions etc are false possitive or not

We have FortiAnalyzer also but don't have so much knoweledge about it since I didn't started any NSE5 preparation.

adambomb1219

SuperUser

What do you have your DoS policies set to? Do you actually need UDP_Flood protection? I have seen many, many false positives of this alert for customers that use Zscaler or other UDP tunneling apps/clients. What is that source IP? Is it something you recognize?

Infotech22Author

Explorer III

Hello Adam,

Yes we have it configured but it was configured from our ex external company so I'm not sure why and how they configured it.

We have 2 WAN connections and its the same setting for both of them:

ddos policy.png

hbac

Staff

Hi @Infotech22,

You should set action to Block for better security. However, your thresholds are low which can cause false positive. You can adjust them accordingly.

Regards,

pbangari

Staff

You can verify if the source IP address is something you recognize or trusted one if yes, then you can consider to increase the threshold value for this source IP or set the action to monitor where this IP address is called as the source.

Infotech22Author

Explorer III

Hello,

What are the default values for this?
IP address is not something that we know off, but it's not the only one, we have from 5-10 IP addresses that are showing here, sometimes even more. So I don't know are they false positive only because of low threshold or it's something that I need to worry about

pbangari

Staff

Policy & Objects >> IPv4 DoS policy>> create new, you should see default values.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded