Zone protection UDP flood tuning

Reply
L2 Linker

Zone protection UDP flood tuning

So, UDP Flood protection on my untrusted zone kicked in for the first (and second) time last night. The end result was not passing traffic each time for about 5-10 minutes. I'm guessing that the CPU (2050) was just spinning its wheels the entire time. I'm just (blindly) using the default values:

admin@PA-2050-1(active)> show zone-protection zone outside

-------------------------------------------------------------------------------

Zone outside, vsys vsys1, profile SafeZoneProtect

-------------------------------------------------------------------------------

  tcp-syn              SYN cookies enabled: yes

    alarm rate:  10000pps   activate rate:1000000pps   maximal rate:1000001pps

    current:         2   packets dropped:0

-------------------------------------------------------------------------------

  udp                  RED enabled: yes

    alarm rate:   1000pps   activate rate:   1000pps   maximal rate:   4000pps

    current:         7   packets dropped:0

-------------------------------------------------------------------------------

  icmp                 RED enabled: yes

    alarm rate:   1000pps   activate rate:   1000pps   maximal rate:   4000pps

    current:         0   packets dropped:0

I am right in thinking that I should be decreasing the rate values so that RED activation and 100% drop kick in faster giving me some CPU to spare?

L5 Sessionator

You need to increase your activate rate from 1000pps. What you are saying is alert me when udp traffic reaches 1000 packets per second. Normally activate rate would be higher than alert. With alert, you ask firewall to activate random early drop (RED), packet start to drop from this point. It will increase linearly until it reaches maximal rate. To explain if the packet reaches 25000 packets/sec or halfway between 10K to 40K, then 50% of all udp traffic would be dropped. Once it reaches 40K all udp packets would get drop.

If attack is targeted towards one specific host then you might also leverage DoS. Hope this helps. Thank you.

L6 Presenter

Hi MCmgt,

It may not be a Zone protection issue, because current dropped packets are 0.

    current:         7   packets dropped:0


Best idea would be to refer UDP traffic log of that time period.  If you can provide us magnified view of log, than we might determine issue.

Regards,

Hardik Shah

L2 Linker

I'm not sure why that says 0, but global counters look to have RED active:

flow_dos_red_udp                    22712017        0 drop      flow      dos       Packets dropped: Zone protection protocol 'udp' RED

flow_dos_red_icmp                       5431        0 drop      flow      dos       Packets dropped: Zone protection protocol 'icmp' RED

flow_dos_zone_red_act               22717448        0 drop      flow      dos       Packets dropped: Activate zone RED threshold reached, random early drop

And the Threat Monitor looks like it's doing random drop:

Capture.JPG

L6 Presenter

Hi MCmgt,

Its genuine drop by "Zone protection". It seems UDP traffic has exceeded configured limit. I would suggest to increase limit.

Regards,

Hardik Shah

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!