Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Infotech22
Contributor

Created on ‎11-30-2023 03:26 AM

Anomaly - udp_flood

Hello forum,

We got a lot of Anomalies with udp_flood attack base.

 

Is this something we should worry about, what is the best practices on trying to resolve if those attacks like anomalies, intrusion preventions etc are false possitive or not
udp_flood.png

We have FortiAnalyzer also but don't have so much knoweledge about it since I didn't started any NSE5 preparation. 

Labels:
1762
0 Kudos
8 REPLIES 8
adambomb1219
SuperUser
SuperUser

Created on ‎11-30-2023 05:31 AM

What do you have your DoS policies set to?  Do you actually need UDP_Flood protection?  I have seen many, many false positives of this alert for customers that use Zscaler or other UDP tunneling apps/clients.  What is that source IP?  Is it something you recognize? 

1744
0 Kudos
Infotech22
Contributor
In response to adambomb1219

Created on ‎11-30-2023 05:41 AM

Hello Adam,

Yes we have it configured but it was configured from our ex external company so I'm not sure why and how they configured it.

We have 2 WAN connections and its the same setting for both of them:

 

ddos policy.png

1741
hbac
Staff
Staff
In response to Infotech22

Created on ‎11-30-2023 07:29 AM

Hi @Infotech22,

 

You should set action to Block for better security. However, your thresholds are low which can cause false positive. You can adjust them accordingly. 

 

Regards, 

1732
adambomb1219
SuperUser
SuperUser
In response to Infotech22

Created on ‎12-01-2023 04:58 AM

My money is also on false positive.  Why did your external vendor configure these thresholds?  And why is it only set to Monitor?

1690
0 Kudos
Infotech22
Contributor
In response to adambomb1219

Created on ‎12-01-2023 05:21 AM

I really don' know why they do it like that..
There we no explanation regarding this.

1681
0 Kudos
pbangari
Staff
Staff

Created on ‎11-30-2023 11:33 PM

You can verify if the source IP address is something you recognize or trusted one if yes, then you can consider to increase the threshold value for this source IP or set the action to monitor where this IP address is called as the source.

1713
Infotech22
Contributor
In response to pbangari

Created on ‎11-30-2023 11:37 PM

Hello,

What are the default values for this?
IP address is not something that we know off, but it's not the only one, we have from 5-10 IP addresses that are showing here, sometimes even more. So I don't know are they false positive only because of low threshold or it's something that I need to worry about

 

1710
0 Kudos
pbangari
Staff
Staff
In response to Infotech22

Created on ‎12-01-2023 05:15 AM

Policy & Objects >> IPv4 DoS policy>> create new, you should see default values.

1684
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.