Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cheng_yang999
New Contributor

Google drive trigger UDP flood

When the application (google drive)upload or sync file, the traffic will trigger the DOS UPD flood as below.

 

itime=1436345294 dstname=tl-in-f116.1e100.net device_id=FG600B3909601201 log_id=18432 subtype=anomaly type=ips pri=alert policyid=0 serial=0 attack_id=285212772 severity=critical sensor=block_flood src=*.*.*.* dst=64.233.189.116 src_port=56355 dst_port=443 src_int=port4 dst_int=N/A status=clear_session proto=17 service=https user=N/A group=N/A ref=http://www.fortinet.com/ids/VID285212772 count=507 incident_serialno=0 msg="anomaly: udp_flood, 2074 > threshold 2000, repeats 507 times" vd=root identidx=0 attack_name=udp_flood intf_policyid=0 date=2015-07-08 time=16:48:14

itime=1436345279 dstname=tl-in-f116.1e100.net device_id=FG600B3909601201 log_id=18432 subtype=anomaly type=ips pri=alert policyid=0 serial=0 attack_id=285212772 severity=critical sensor=block_flood src=….dst=64.233.189.116 src_port=56355 dst_port=443 src_int=port4 dst_int=N/A status=clear_session proto=17 service=https user=N/A group=N/A ref=http://www.fortinet.com/ids/VID285212772 count=699 incident_serialno=0 msg="anomaly: udp_flood, 2001 > threshold 2000, repeats 699 times" vd=root identidx=0 attack_name=udp_flood intf_policyid=0 date=2015-07-08 time=16:47:59

 

How to except the similar action?

I find the official configuration suggestion as below link.

How does the fortigate configure the dos sensor to pass the domain name which express include *.

 Does the address object support the configuration that  FQDN include wildcard. 

https://support.google.com/drive/answer/2589954?hl=en&ref_topic=14951

https://www.dropbox.com/help/23

1 Solution
MontanaMike

Whats the best or preferred way to let these through?  The company I work for is a heavy user of Google's apps and we use Chrome because Google's stuff works better with Chrome.  At least until the DoS sensor started identifying them as udp_flood and blocking them.  Now, when accessing any of the Google stuff, it's slow and it sometimes doesn't seem to respond.

-Mike

View solution in original post

-Mike
2 REPLIES 2
Morten_Marstrander
New Contributor

Hi,

 

This is most likely due to Google's experimental QUIC, using UDP on port 443.

 

See https://www.chromium.org/quic

 

NSE 4

NSE 4
MontanaMike

Whats the best or preferred way to let these through?  The company I work for is a heavy user of Google's apps and we use Chrome because Google's stuff works better with Chrome.  At least until the DoS sensor started identifying them as udp_flood and blocking them.  Now, when accessing any of the Google stuff, it's slow and it sometimes doesn't seem to respond.

-Mike

-Mike
Labels
Top Kudoed Authors