topic Re: Zone protection UDP flood tuning in General Topics

Zone protection UDP flood tuning

MCmgt — Thu, 09 Oct 2014 18:16:23 GMT

So, UDP Flood protection on my untrusted zone kicked in for the first (and second) time last night. The end result was not passing traffic each time for about 5-10 minutes. I'm guessing that the CPU (2050) was just spinning its wheels the entire time. I'm just (blindly) using the default values:

admin@PA-2050-1(active)> show zone-protection zone outside

-------------------------------------------------------------------------------

Zone outside, vsys vsys1, profile SafeZoneProtect

-------------------------------------------------------------------------------

tcp-syn SYN cookies enabled: yes

alarm rate: 10000pps activate rate:1000000pps maximal rate:1000001pps

current: 2 packets dropped:0

-------------------------------------------------------------------------------

udp RED enabled: yes

alarm rate: 1000pps activate rate: 1000pps maximal rate: 4000pps

current: 7 packets dropped:0

-------------------------------------------------------------------------------

icmp RED enabled: yes

alarm rate: 1000pps activate rate: 1000pps maximal rate: 4000pps

current: 0 packets dropped:0

I am right in thinking that I should be decreasing the rate values so that RED activation and 100% drop kick in faster giving me some CPU to spare?

Re: Zone protection UDP flood tuning

ssharma — Thu, 09 Oct 2014 18:34:37 GMT

You need to increase your activate rate from 1000pps. What you are saying is alert me when udp traffic reaches 1000 packets per second. Normally activate rate would be higher than alert. With alert, you ask firewall to activate random early drop (RED), packet start to drop from this point. It will increase linearly until it reaches maximal rate. To explain if the packet reaches 25000 packets/sec or halfway between 10K to 40K, then 50% of all udp traffic would be dropped. Once it reaches 40K all udp packets would get drop.

If attack is targeted towards one specific host then you might also leverage DoS. Hope this helps. Thank you.

Re: Zone protection UDP flood tuning

hshah — Thu, 09 Oct 2014 18:55:02 GMT

Hi MCmgt,

It may not be a Zone protection issue, because current dropped packets are 0.

current: 7 packets dropped:0

Best idea would be to refer UDP traffic log of that time period. If you can provide us magnified view of log, than we might determine issue.

Regards,

Hardik Shah

Re: Re: Zone protection UDP flood tuning

MCmgt — Thu, 09 Oct 2014 19:13:49 GMT

I'm not sure why that says 0, but global counters look to have RED active:

flow_dos_red_udp 22712017 0 drop flow dos Packets dropped: Zone protection protocol 'udp' RED

flow_dos_red_icmp 5431 0 drop flow dos Packets dropped: Zone protection protocol 'icmp' RED

flow_dos_zone_red_act 22717448 0 drop flow dos Packets dropped: Activate zone RED threshold reached, random early drop

And the Threat Monitor looks like it's doing random drop:

Re: Zone protection UDP flood tuning

hshah — Thu, 09 Oct 2014 19:56:39 GMT

Hi MCmgt,

Its genuine drop by "Zone protection". It seems UDP traffic has exceeded configured limit. I would suggest to increase limit.

Regards,

Hardik Shah