Junos OS

Hi All,

 

I am having trouble in deciding the appropriate threshold value for UDP Floods..

Lately my SRX CPU spiked to 100% causing s lot of issues.I checked the logs and it indicated UDP packets drop.

This caused a lot of logging resullting the eventd process to go higher. I deactivated UDP and everything came back to normal.

 

Please let me know how do i fix the issue. Do i need to check my BW usage of the users or anything else.

 

Also what if i do not have UDP configured in the screen will it have any attack ?

 

Below is the current configuration

 

 

Config

set security screen ids-option Internet-screen udp flood threshold 2048
set security screen ids-option Internet-screen udp udp-sweep threshold 1000

I think the best of achieving that goal, is by adding the parameter "alarm-without-drop" to the ids commands . After that, collect statistics / logs and analyze them .

[edit security screen]
root@host# show
ids-option test-screen {
alarm-without-drop;
}
Also you can use the following to analyze logs :

[edit security screen traceoptions]
set file screen-trace
set flag all

All the best !

Hi Kunal,

 

It will really depend on the traffic mix that is considered "normal" through your firewall.  

 

If you have (for example) VoIP traffic traversing your SRX, then each phone call would be 50 PPS of UDP, which would equate to 40 simultaneous calls to a single media gateway IP, which in some enterprises might not be considered a large amount, but in your case would be enough to trigger the screen.

 

I notice that your Screen is called internet-screen - if this is applied to an Internet-facing interface, It could also indicate large volumes of P2P traffic such as Skype or Bittorrent.

 

I would recommend increasing the threshold (on udp flood, not udp sweep) maybe around 10k PPS before enabling "alarm-without-logging", as this will still cause the same eventd CPU increase regardless of whether traffic is dropped.

 

Hope this helps,

Hi Abed & Ben,

 

Firstly, apologies for the delayed response.

 

Thank you for your inputs.Yes, i agree it depends on the traffic volume on the device and accordingly i need to set up a threshold value. We have a lot of Voice & Video traffic so its really difficult to judge. Also, i agree incase i permit the UDP packet and just have an alarm raised it will spike up my (eventd process) CPU again as all the message logs are generated and stored on the device itself .I do not have a syslog in place as of now where i could send the logs.

 

What's the ideal UDP flood attack in PPS ? as i havent come across that issue and i do not have much information on that..I  could set the threshold to 10k but i am not sure if the attack can occour below the threshold value. Sorry if its illogical.

 

Also i have IDP Signature with the recommended policy in place and applied on security policies.

Will the UDP DOS or DDOS attack will be taken care of ? Do i need Screening as an additional security feature.

Please let me know your suggestions/recommendation on this. Appreciate your help.

 

 

Thanks,

Kunal Tupe

 

 

Hi Kunal,

---

@Kunal Tupe wrote:

 

What's the ideal UDP flood attack in PPS ? as i havent come across that issue and i do not have much information on that..I  could set the threshold to 10k but i am not sure if the attack can occour below the threshold value. Sorry if its illogical.

 

---

Think of it in reverse - what rate of UDP traffic is "normal" for my network, and anything above this is abnormal and should be filtered by Screens.

---

@Kunal Tupe wrote:

 

Also i have IDP Signature with the recommended policy in place and applied on security policies.

Will the UDP DOS or DDOS attack will be taken care of ? Do i need Screening as an additional security feature.

Please let me know your suggestions/recommendation on this. Appreciate your help.

 

 

Thanks,

Kunal Tupe

 

 

---

IDP and Screens are not mutually exclusive - I would definitely leave both in place.  Screens filter out a lot of traffic before it hits the Policy/IDP engine, so then you end up only having to inspect/forward the traffic that is not anomalous.

 

Cheers,

 

Ben

Hi Ben,

 

Sorry for te late reply.

 

Thanks lot for the explanation.i will have threshold value set for 10K and observe the performance.

 

Will get back to you if i need any more assistance. Thanks for your help:) 

 

Thanks,

Kunal Tupe

You can also use the alarm without drop option to get logs first and then investigate the traffic.  This can give you a higher confidence you will block only bad actors when you turn the feature on at the levels you choose.