Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vtvincent
New Contributor

DDoS UDP Flood

I'm having an odd situation were we're getting DDoS'd with UDP floods, only during the school day. It hasn't been enough to take us down, but was enough to get the attention of our ISP and show up in our FortiGate. The ISP couldn't seem to provide much info about why this was happening, but they seem to think it's "excessive VPN use" by our students. I've done a lot of digging through our FortiAnalyzer and really can't see much out of the ordinary other than the incoming flood that is being dropped. Any thoughts about what might trigger this or where else to look?

8 REPLIES 8
vponmuniraj
Staff
Staff

Hi Vincent, 

 

UDP flood are common if the threshold set is too low and users use audio / video conferencing on a daily basis. 

 

Can you attach the logs that indicate UDP flood attack is taking place? We can do reverse lookup for the source IPs to understand where the traffic is coming from.  

 

 

Regards,

Vignesh
AlexC-FTNT
Staff
Staff

A DDoS attack can only be dropped by the FortiGate, but the attack may prevent your FortiGate (or internal services) to be accessible from the outside. A successful DDoS filter must be placed as close to the source as possible (in this case in the ISP infra). For this, you need to see the logs and identify the source/destination/ports used for the attack. This way you can see if the traffic is legitimate VPN traffic, or an attack. I guess that repeated connection attempts (retries) from students may cause this, but you need to see what ports are used. "Excessive VPN" may trigger the DDoS alarm on the ISP - who in turn need to adjust their thresholds (and not block it, if this traffic is legitimate).


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
vtvincent
New Contributor

It does appear to be "legitimate" VPN traffic, here's what I'm seeing in the Anomaly log on the FortiGate and a sample of what the destination by the first source looks like in the FortiAnalyzer. I also looked up a handful of those IPs and most seem to go back to DigitalOcean. While the traffic is technically legitimate and not a DDoS attack in this case, we still do not want our students using VPNs to bypass our content filters.

 

Screen Shot 2022-03-21 at 9.21.14 AM.pngScreen Shot 2022-03-21 at 9.14.28 AM.png

63kk0
New Contributor II

A bit late to the party, but it looks like the kids at your school have figured out that they can bypass your content filters through the use of free, anonymous VPN plugins. I would check their use of Chrome browser plugins, and require that they be logged into their school managed Google account when using the browser. You can control what plugins they are allowed to use from Chrome.

AlexC-FTNT
Staff
Staff

I am not a security analyst, but these logs don't look like regular traffic to me.

You can't consider regular traffic continuous attempt from a public IP that repeats 800 times per second. According to these logs, the traffic is continuously and repeatedly hitting the FortiGate. For example, the IP in the selected log is clearly blacklisted on multiple sites:

https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a104.131.19.108&run=toolpage


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
vtvincent

From what digging I've done, it does seem to be associated with SkyVPN. The handful of free VPNs they're using seem to just scan through lists of their IPs and ports until they find one that works. In that example, the client is reaching out to that IP and when they stop, it seems to stop the incoming flood. Since the IPs rotate regularly, what kind of strategy could I use to block this on the FortiGate? Is it possible to create a rule based on those known IP blacklists?

Debbie_FTNT

Hey vtvincent,

you could probably use a threat feed to this purpose:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/9463/threat-feeds

- FortiGate can receive and regularly update the list of IPs

- traffic to any IP provided via threat feed would be blocked

 

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
rosiebown
New Contributor

it seems like you are experiencing DDoS attacks with UDP floods specifically during the school day, and your ISP suspects that excessive VPN use by students may be the cause. Here are some thoughts and suggestions on how to address this issue:

Confirm VPN usage: Verify if there is indeed excessive VPN usage by students during the school day. Check if there are any specific VPN services or applications being widely used. You can monitor network traffic or consult with your network administrator to gather this information.

Besides this I had problems with hackers when I tried to plagiarism check my writing for school, this happened so I allowed them to look at my documents on my laptop and they were stolen, since then I am much more careful when I choose sources and give permissions to them, I can recommend this source https://paperell.net/plagiarism-free-essay-writing because I use it personally, it is plagiarism free writings, from here you can find writings that are definitely not plagiarized and are written quite well. I have already used it many times and I am satisfied every time.

Labels
Top Kudoed Authors