7004vbr logging *** UDP loop *** ???
Here's the message I found in the log:
08/24/2004 19:31:47 **UDP Loop** 126.96.36.199, 2884->> ***.***.***.***, 7 (from WAN Inbound)
08/24/2004 05:59:05 **UDP Loop** 188.8.131.52, 1255->> ***.***.***.***, 7 (from WAN Inbound)
Only two sources but several log entries. This is the first time I've seen this since I set up my network more than a year ago.
Can anyone shed any light on this?
Thanks for your time.
actions · 2004-Aug-24 9:16 pm · (locked)
White Plains, NY
This is also known as UDP flooding and is based on the fact that it is your port 7 being used (the * out IP is yours I take it). This is a denial of service attack where the attacker spoofs an address and attempts to cause the system to UDP echo data (port 7) to itself until the LAN is saturated or the packet is lost. The router sees the port 7 echo data and drops it like any other flood attempt. Therefore, the DoS attack doesn't work.
I have not seen that in a very long time.
edit: a better explanation - »www.attrition.org/security/denia···dos.html when Cisco was having this problem with their routers in the past: »www.attrition.org/security/denia···dos.html
actions · 2004-Aug-25 5:51 am · (locked)
Ok, thanks...I thought that might be the case. So it is happening as it should and I must suck it up if it is a DOS.
What if it is not a DOS and it's normal random traffic and my VBR's tolerance threshold is set too low? Maybe there is an Intrusion detection setting that I can change?
I've attached my settings.
I guess I'm reaching here since the two ips that the UDP loop came from seem to be servers for an isp and a communications company. One of which I have no internet relationship with except that I signed up for a long distance telephone plan. Is there anything they can do to filter the attack? Perhaps never send me or everyone any UDP packets above a certain tolerance directed at port 7 over a period of time?
Maybe this attack disappeared because servers routinely set up such a tolerance. Now they forgot about it and are dupes that facilitate the UDP flood because they don't control the volume of UDP traffic to other ips. Again, I'm reaching.
I guess I should be happy the VBR resets ok and the UDP loop is short duration.
Anyway if there is anything you can suggest, I'd appreciate it.
thanks for your help.
actions · 2004-Aug-25 9:44 am · (locked)
Trying to post settings image file again...
actions · 2004-Aug-25 9:50 am · (locked)
Intrusion Detection thresholds
actions · 2004-Aug-25 9:54 am · (locked)
White Plains, NY
There really isn't anything else for you to do. Your settings are fine and we can not be sure if the source IP's are even real ones, so contacting those admins wouldn't necessarily do any good. Probably either a script kiddie just randomly sending out these packets or some zombied machine doing it. They probably take a group of destination IP's, spoof different source IP's, send out the packets every so often and then move on just for the 'fun' of disruption - or not knowing what they are doing. It could start up again and then disapear the same way. Hopefully it won't have any effect on your Internet access and the router is doing it's job as designed.
actions · 2004-Aug-25 10:59 am · (locked)
Thanks...just hoping there was something...didn't really expect there was anything. However, didn't want to leave any stones unturned.
all the best!
actions · 2004-Aug-25 3:01 pm · (locked)