No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Secospace USG6300 UDP flood attack

Publication Date:  2017-08-10 Views:  4119 Downloads:  0
Issue Description

1.

The following figure shows the customer networking, two USG6370 is set to mirror hot/standby, as the border firewall connected to internal and external networks, internal networks have some servers which configured the nat-server.

2 fault

Customer services are interrupted unexpectedly, some ports traffic increases ,CPU abnormal.

 

Alarm Information

Jun 16 2017 03:02:27+03:00
USG6300 %%01PHY/4/PACKETDROP(l)[0]:Packets was dropped by phylayer. detail:PIP
drop packet. Hardware Pool Num is 4187.



Jun 16 2017 02:39:53+03:00 USG6300 %%01NLOG/2/DISKFULL(l)[1]:traffic-origin
logs have taken up 85% of the reserved storage space for this type of
logs.(SyslogId=0)



Jun 16 2017 02:39:50+03:00 USG6300 %%01PHY/4/PACKETDROP(l)[2]:Packets was
dropped by phylayer. detail:PIP drop packet. Hardware Pool Num is 4186.



Jun 16 2017 02:38:48+03:00 USG6300 %%01PHY/4/PACKETDROP(l)[3]:Packets was dropped
by phylayer. detail:PIP drop packet. Hardware Pool Num is 4179.



Jun 16 2017 02:37:16+03:00 USG6300 %%01PHY/4/PACKETDROP(l)[4]:Packets was
dropped by phylayer. detail:PIP drop packet. Hardware Pool Num is 4207.



Jun 16 2017 02:34:24+03:00 USG6300 %%01PHY/4/PACKETDROP(l)[5]:Packets was
dropped by phylayer. detail:PIP drop packet. Hardware Pool Num is 4220.

Handling Process

1 Check whether the device configuration, but did not find any exception.

2 Check the port traffic, some interface traffic is abnormal.

#

HRP_M[USG6300]dis int b   

Interface                  PHY   Protocol  InUti OutUti   inErrors  outErrors

GigabitEthernet1/0/0        up   up           0% 62.43%         0          0   //internet outbound

GigabitEthernet1/0/1       up    up       0.03%    0%         0         0             //intranet interface1

GigabitEthernet1/0/4        up   up       62.40%    0%         0         0                 //intranet interface2

#

The intranet traffic is abnormal. As a result, the congestion at the egress. As a result, services are interrupted.

Check whether the intranet interface. It is found that a large number of unicast packets.

#

HRP_M[USG6300]display interface GigabitEthernet 1/0/4
2017-06-18 12:04:06.400 +03:00
GigabitEthernet1/0/4 current state : UP
Line protocol current state : UP
Max input bit rate: 649296048 bits/sec at 2017-06-16 15:02:49                // 649Mbps,the peak traffic 6/16
Max output bit rate: 28034480 bits/sec at 2017-06-16 15:02:09
Max input packet rate: 696082 packets/sec at 2017-06-16 15:30:34
Max output packet rate: 2850 packets/sec at 2017-06-16 15:12:43
Last 300 seconds input rate 78158218  bytes/sec, 674106  packets/sec
Last 300 seconds output rate 1117  bytes/sec, 12  packets/sec
    Input: 2046692752 packets, 237556914607 bytes
          2046676996 unicasts, 9044 broadcasts, 6712 multicasts, 0 pauses       //most of the unicast packet

#

Check the firewall statistics. It is found that a large number of UDP packets:

#

HRP_M[USG6300-diagnose]disp firewall  statistic system transmitted
2017-06-18 12:44:19.890 +03:00
Transmited statistic information:
                                      Total packets transmitted:2433398292
                                 Total packets byte transmitted:237597691821
                                 Total IPV4 packets transmitted:2419330561
                                     Our IP packets transmitted:643061
                                   Fragment packets transmitted:31
                                        TCP packets transmitted:48161454
                                        UDP packets transmitted:2371167038         //UDP traffic is high than TCP traffic
                                       ICMP packets transmitted:2065
                                   Other IP packets transmitted:4

#

Accordingly judgement, firewall  by a large number of udp flood attack

On the firewall, and each interface to enable the attack defense configuration. The configuration is as follows:

#

 bandwidth-limit destination-ip type udp max-speed 50
 anti-ddos syn-flood source-detect alert-rate 800
 anti-ddos udp-flood dynamic-fingerprint-learn

interface GigabitEthernet1/0/4

 anti-ddos flow-statistic enable

#

After the configuration is complete, check the traffic on the port:

#

PHY: Physical
*down: administratively down
(l): loopback
(s): spoofing
(b): BFD down
(d): Dampening Suppressed
InUti/OutUti: input utility/output utility
Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors
Cellular0/0/0               down  down         0%     0%          0          0
Cellular0/0/1               down  down         0%     0%          0          0
GigabitEthernet0/0/0        down  down         0%     0%          0          0
GigabitEthernet1/0/0        up    up        1.16%  0.32%          0          0                  //the internet interface is normal
GigabitEthernet1/0/1        up    up        0.16%  1.09%          0          0
GigabitEthernet1/0/2        up    up           0%     0%          0          0
GigabitEthernet1/0/3        up    up           0%     0%          0          0
GigabitEthernet1/0/4        up    up       81.91%  0.07%          0          0               //the intranet inbound is high
GigabitEthernet1/0/5        up    up           0%     0%          0          0
GigabitEthernet1/0/6        up    up           0%  0.14%          0          0
GigabitEthernet1/0/7        up    up           0%     0%          0          0

#

udp packet has been discarded on Internet egress traffic is normal, but the intranet attack still exists, check the log log, shows that the attack source:

Jun 16 2017 14:41:41+03:00 USG6300 %%01HRPI/4/CORE_STATE(l)[116]:HRP core state changed, old_state = initial, new_state = abnormal(standby), local_priority = 45000, peer_priority = unknown.
Jun 18 2017 13:30:40+03:00 USG6300 %%01ATK/4/FIREWALLATCK(l)[0]:AttackType="UDP-TCP relation defend attack", slot=" ", cpu="0", receive interface="GE1/0/4 ", proto="UDP", src="", dst="255.255.255.255:67 ", begin time="2017-6-18 13:30:16", end time="2017-6-18 13:30:36", total packets="5", max speed="776068", User="", Action="discard".
Jun 18 2017 13:30:40+03:00 USG6300 %%01ATK/4/FIREWALLATCK(l)[1]:AttackType="Udp flood attack", slot=" ", cpu="0", receive interface="GE1/0/4 ", proto="UDP", src="10.15.15.3:11408 10.15.15.1:32311 ", dst="109.158.243.73:20480 162.244.178.183:20480 ", begin time="2017-6-18 13:30:10", end time="2017-6-18 13:30:40", total packets="29071632", max speed="599540", User="", Action="discard".
Jun 18 2017 13:30:10+03:00 USG6300 %%01ATK/4/FIREWALLATCK(l)[2]:AttackType="UDP-TCP relation defend attack", slot=" ", cpu="0", receive interface="GE1/0/4 ", proto="UDP", src="[FE80::1115:E407:BBF5:2BC8]:546 ", dst="255.255.255.255:67 [FF02::1:2]:547 ", begin time="2017-6-18 13:29:43", end time="2017-6-18 13:30:4", total packets="6", max speed="499399", User="", Action="discard".
Jun 18 2017 13:30:10+03:00 USG6300 %%01ATK/4/FIREWALLATCK(l)[3]:AttackType="Udp flood attack", slot=" ", cpu="0", receive interface="GE1/0/4 ", proto="UDP", src="10.15.15.1:19920 10.15.15.3:11408 10.15.15.1:32311 ", dst="162.244.178.183:20480 109.158.243.73:20480 ", begin time="2017-6-18 13:29:40", end time="2017-6-18 13:30:10", total packets="28475337", max speed="599781", User="", Action="discard".
Jun 18 2017 13:29:40+03:00 USG6300 %%01ATK/4/FIREWALLATCK(l)[4]:AttackType="udp bandwidth-limit", slot=" ", cpu="0", receive interface="", proto="UDP", src="", dst="80.193.42.147 ", begin time="2017-6-18 13:29:25", end time="2017-6-18 13:29:25", total packets="1", max speed="322814", User="", Action="discard".
Jun 18 2017 13:29:40+03:00 USG6300 %%01ATK/4/FIREWALLATCK(l)[5]:AttackType="UDP-TCP relation defend attack", slot=" ", cpu="0", receive interface="GE1/0/4 ", proto="UDP", src="", dst="255.255.255.255:67 ", begin time="2017-6-18 13:29:16", end time="2017-6-18 13:29:39", total packets="8", max speed="743198", User="", Action="discard".

#

Contact the customer and check the 10.15.15.3 and 10.15.15.1 these two servers. After the customer to check. Then, the fault is rectified.

Root Cause

The operator's internal networks there are a large number of UDP Flood attack, so that the port traffic is abnormal, at the same time because a large number of UDP packets will be deal with by the CPU, the firewall CPU usage is abnormal, resulting in service interruption.

Solution

In UDP-Flood attack defense is configured on the firewall is enabled, the firewall does not forward these UDP packets, and the outbound interface traffic decreased.

But because belongs to the USG6000 series case-shaped firewall, as long as there are attack packets, the data will be processed by the CPU. In addition, the attacked port traffic increases continuously. After the customer to check the attack source, the fault is rectified.

Suggestions

The new network access devices, you are advised to set basic attack defense policy

END