Knowledge Search


×
 

[ScreenOS] What is a UDP flood attack and how does one enable UDP flood protection?

  [KB4821] Show Article Properties


Summary:

This article explains what a UDP flood attack is and how ScreenOS can be enabled to protect against it.

All products running ScreenOS are affected.

Symptoms:

What is a UDP flood attack? How can users protect against it? How is UDP flood protection enabled?

Cause:

User Datagram Protocol (UDP) flooding occurs when an attacker sends IP packets containing UDP datagrams with the purpose of slowing down the victim to the point that it can no longer handle valid connections.

Solution:

User Datagram Protocol (UDP) flooding occurs when an attacker sends IP packets containing UDP datagrams with the purpose of slowing down the victim to the point that it can no longer handle valid connections. By enabling UDP flood protection, the user can set a threshold that, once exceeded, invokes the UDP flood attack protection feature. The default threshold value is 1000 packets per second. If the number of UDP datagrams from one or more sources to a single destination exceeds this threshold, the security device ignores further UDP datagrams to that destination for the remainder of that second plus the next second as well.

Enable UDP Flood Protection

To enable UDP flood protection, complete either of the following procedures, where the specified zone is that in which a flood might originate:

Using WebUI
Navigate to Screening > Screen (Zone: select a zone name): Enter the following, and then click Apply:
UDP Flood Protection: (tick the checkbox)
Threshold: (enter a value to trigger UDP flood protection)

Using CLI

set zone zone screen udp-flood threshold number
set zone zone screen udp-flood

The udp-flood threshold number is the number of packets allowed per second to the same destination IP address/port pair.

The valid range is from 1 to 1,000,000.
The value unit is UDP packets per second (pps).
The default value is 1000 packets per second.

After the UDP flood threshold is reached, the security device generates an alert-level alarm and rejects further UDP datagrams from all addresses in the same security zone for the remainder of the current second and the next second as well.

Protect by Zone and Destination Address

Users can protect the security device against UDP flooding by zone and destination address:

Using WebUI

Security > Screening > Screen > Destination IP

Using CLI

The following command enables UDP flood protection at a threshold of 2000 for traffic destined to IP 4.4.4.4 coming from trust zone.

set zone "Trust" screen udp-flood dst-ip "4.4.4.4" threshold 2000

Note: It is possible to use a combination of the two commands above to fine tune the UDP flood protection. For example, if you wanted to protect a specific host (192.168.5.1) at a different threshold level than all the other destination IP addresses (for example,  for a DNS server that is expected to receive much higher UDP traffic than other hosts).

Configuring a Separate Threshold

Configuring UDP flood protection as follows will allow for a separate threshold for the specific (192.168.5.1) host:

WebUI

Security > Screening > Screen > Destination IP

AND

Screening > Screen (Zone: select a zone name): Enter the following, and then click Apply:

UDP Flood Protection: (tick the checkbox)
Threshold: (enter a value to trigger UDP flood protection)

 

CLI

set zone Untrust screen udp-flood threshold 2000
AND
set zone Untrust screen udp-flood dst-ip 192.168.5.1 threshold 5000
set zone Untrust screen udp-flood

This configuration will:

  • Set UDP flood threshold to 2000 pps for all traffic coming from the Untrust zone
  • "White-list" destination ip 192.168.5.1 from the general Untrust zone 2000 pps threshold
  • Apply a threshold of 5000 pps for all traffic coming from Untrust zone to destination IP 192.168.5.1

After setting this configuration, you can verify these setting by:

Netscreen -> get zone Untrust screen

Screen function only generate alarm without dropping packet: OFF.
Screen function apply to traffic exiting tunnels: OFF.
UDP flood protection(2000) on
      192.168.5.1(5000) on

Note: Please be aware that a UDP flood attack may cause the CPU utilization to increase in certain circumstances.

The following article gives the list of screening features which can increase CPU utilization: KB8332 Which screening features can increase CPU utilization

For High-End devices, there are ASIC level screens as well as CPU level Screens and this article applies to only CPU level screens on High End devices.

 

Modification History:

2017-03-29: Added a note in the solutiong that this article applies to only CPU level screens on High End devices.

Related Links: