UDP Flood Log line understanding

Forum|Forum|8 years ago
August 17, 2017
1 reply
5556 views

Hi, 

In the below log line. What does this 793 times represent ?

and what does this threshold represent ?

Can we consider this single log as a attack or We need to correlate many logs.


Aug 10 19:28:44 192.2.200.144 date=2017-08-10 time=19:28:49 devname=GGHL-FG-TTC-SECONDRY devid=FG20101119 logid=0720018432 type=anomaly
subtype=anomaly level=alert vd=root severity=critical srcip=192.168.192.82 srccountry="United States" dstip=199.36.221.149 srcintf="port2"
sessionid=0 action=clear_session proto=17 service="VC_Port" count=793 attack="udp_flood" srcport=46503 dstport=61688 attackid=285212772
policyid=3 policytype=DoS-policy ref="http://www.fortinet.com/ids/VID285212772" msg="anomaly: udp_flood, 2001 > threshold 2000, repeats 793
times" crscore=50 crlevel=critical

andreotta

New Member

hey powerlin.g93,

It depends.

A lot of udp requests in a amount of time, might be a valid traffic or an attack/ invalid traffic we need to know about the application.

In example, the QUIC protocol of Google, this protocol love to do this 'floods', in this case is valid,a caracteristic of application.

Regards,

Andre Otta

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded