Skip to main content
vtvincent
vtvincent
New Member
March 20, 2022
Question

DDoS UDP Flood

  • March 20, 2022
  • 5 replies
  • 17934 views

I'm having an odd situation were we're getting DDoS'd with UDP floods, only during the school day. It hasn't been enough to take us down, but was enough to get the attention of our ISP and show up in our FortiGate. The ISP couldn't seem to provide much info about why this was happening, but they seem to think it's "excessive VPN use" by our students. I've done a lot of digging through our FortiAnalyzer and really can't see much out of the ordinary other than the incoming flood that is being dropped. Any thoughts about what might trigger this or where else to look?

5 replies

vponmuniraj
Staff
vponmuniraj
Staff
March 21, 2022

Hi Vincent, 

 

UDP flood are common if the threshold set is too low and users use audio / video conferencing on a daily basis. 

 

Can you attach the logs that indicate UDP flood attack is taking place? We can do reverse lookup for the source IPs to understand where the traffic is coming from.  

 

 

Regards,

AlexC-FTNT
Staff
AlexC-FTNT
Staff
March 21, 2022

A DDoS attack can only be dropped by the FortiGate, but the attack may prevent your FortiGate (or internal services) to be accessible from the outside. A successful DDoS filter must be placed as close to the source as possible (in this case in the ISP infra). For this, you need to see the logs and identify the source/destination/ports used for the attack. This way you can see if the traffic is legitimate VPN traffic, or an attack. I guess that repeated connection attempts (retries) from students may cause this, but you need to see what ports are used. "Excessive VPN" may trigger the DDoS alarm on the ISP - who in turn need to adjust their thresholds (and not block it, if this traffic is legitimate).

vtvincent
vtvincentAuthor
New Member
March 21, 2022

It does appear to be "legitimate" VPN traffic, here's what I'm seeing in the Anomaly log on the FortiGate and a sample of what the destination by the first source looks like in the FortiAnalyzer. I also looked up a handful of those IPs and most seem to go back to DigitalOcean. While the traffic is technically legitimate and not a DDoS attack in this case, we still do not want our students using VPNs to bypass our content filters.

 

Screen Shot 2022-03-21 at 9.21.14 AM.pngScreen Shot 2022-03-21 at 9.14.28 AM.png

63kk0
63kk0
Visitor III
July 25, 2022

A bit late to the party, but it looks like the kids at your school have figured out that they can bypass your content filters through the use of free, anonymous VPN plugins. I would check their use of Chrome browser plugins, and require that they be logged into their school managed Google account when using the browser. You can control what plugins they are allowed to use from Chrome.

    AlexC-FTNT
    Staff
    AlexC-FTNT
    Staff
    March 22, 2022

    I am not a security analyst, but these logs don't look like regular traffic to me.

    You can't consider regular traffic continuous attempt from a public IP that repeats 800 times per second. According to these logs, the traffic is continuously and repeatedly hitting the FortiGate. For example, the IP in the selected log is clearly blacklisted on multiple sites:

    https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a104.131.19.108&run=toolpage

    vtvincent
    vtvincentAuthor
    New Member
    March 22, 2022

    From what digging I've done, it does seem to be associated with SkyVPN. The handful of free VPNs they're using seem to just scan through lists of their IPs and ports until they find one that works. In that example, the client is reaching out to that IP and when they stop, it seems to stop the incoming flood. Since the IPs rotate regularly, what kind of strategy could I use to block this on the FortiGate? Is it possible to create a rule based on those known IP blacklists?

    Debbie_FTNT
    Staff & Editor
    Debbie_FTNT
    Staff & Editor
    April 4, 2022

    Hey vtvincent,

    you could probably use a threat feed to this purpose:

    https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/9463/threat-feeds

    - FortiGate can receive and regularly update the list of IPs

    - traffic to any IP provided via threat feed would be blocked

     

    davzy
    davzy
    New Member
    February 12, 2026

    If it’s only during school hours, timing is your biggest clue.

    “Excessive VPN use” doesn’t usually cause inbound UDP floods that sounds unlikely. Check whether the traffic is truly distributed (many random/spoofed IPs = real DDoS) or concentrated from certain ranges.

    Quick checks:

    • Is it targeting a specific UDP port (VPN, DNS, VoIP, gaming)?

    • Are any public-facing services exposed?

    • Could you be running an open DNS/NTP service?

    Since it’s being dropped already, now’s the time to strengthen DDoS attack prevention enable UDP rate limiting, tighten geo/IP filtering, and confirm your ISP can provide scrubbing if volume spikes.

    Follow the ports and source IP patterns. That’s where the answer usually hides.

    Terms & ConditionsAccessibility statement