- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anomaly - udp_flood
Hello forum,
We got a lot of Anomalies with udp_flood attack base.
Is this something we should worry about, what is the best practices on trying to resolve if those attacks like anomalies, intrusion preventions etc are false possitive or not
We have FortiAnalyzer also but don't have so much knoweledge about it since I didn't started any NSE5 preparation.
- Labels:
-
FortiAnalyzer
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you have your DoS policies set to? Do you actually need UDP_Flood protection? I have seen many, many false positives of this alert for customers that use Zscaler or other UDP tunneling apps/clients. What is that source IP? Is it something you recognize?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Adam,
Yes we have it configured but it was configured from our ex external company so I'm not sure why and how they configured it.
We have 2 WAN connections and its the same setting for both of them:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Infotech22,
You should set action to Block for better security. However, your thresholds are low which can cause false positive. You can adjust them accordingly.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My money is also on false positive. Why did your external vendor configure these thresholds? And why is it only set to Monitor?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I really don' know why they do it like that..
There we no explanation regarding this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can verify if the source IP address is something you recognize or trusted one if yes, then you can consider to increase the threshold value for this source IP or set the action to monitor where this IP address is called as the source.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
What are the default values for this?
IP address is not something that we know off, but it's not the only one, we have from 5-10 IP addresses that are showing here, sometimes even more. So I don't know are they false positive only because of low threshold or it's something that I need to worry about
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Policy & Objects >> IPv4 DoS policy>> create new, you should see default values.
![](/skins/images/EC12350B26E3A30E8BDB0075C9F4DA72/responsive_peak/images/icon_anonymous_message.png)