UDP and ICMP Flood Protection

08/17/2021 293 People found this article helpful 133,579 Views

Description

UDP and ICMP Flood attacks are a type of denial-of-service (DoS) attack. They are initiated by sending a large number of UDP or ICMP packets to a remote host. As a result, the victimized system's resources will be consumed with handling the attacking packets, which eventually causes the system to be unreachable by other clients.

Resolution

For UDP Flood Protection Option(GUI)

ClickMANAGEand then navigate toFirewall Settings | Flood Protection.
On the Top bar , clickUDP.
UnderUDP Flood Protection, enable checkboxEnable UDP Flood Protection.
The following settings configureUDP Flood Protection.
- UDP Flood Attack Threshold (UDP Packets / Sec) The rate of UDP packets per second sent to a host, range or subnet that triggers UDP Flood Protection. The Threshold must be set carefully as too small a threshold may affect unintended traffic and too large a threshold may not effectively protect from an attack. The default value is1000.
- UDP Flood Attack Blocking Time (Sec) After the appliance detects the rate of UDP packets exceeding the attack threshold for this duration of time, UDP Flood protection is activated, and the appliance will begin dropping subsequent UDP packets.
- UDP Flood Attack Protected Destination List The destination address object or address group that will be protected from UDP Flood Attack. If the destination target is random, set this field toAny.
ClickAccept.

The following log messages will be generated when SonicWall detects a UDP Flood Attack. The logs can be filtered byCategoryFirewall Settings andGroupFlood protection.

UDP Flood Protection can also be configured from the CLI.

Login to the CLI.
EnterConfigurationmode.
Enter the following commands to enable UDP Flood protection.

config(C0xxxxxxxx38)# udp (config-udp)# flood-protection (config-udp)# commit best-effort (config-udp)# exit To disable UDP Flood Protection (config-udp)# no flood-protection (config-udp)# commit best-effort

Additional options in the UDP prompt

default-connection-timeout #Set default UDP connection timeout in minutes.
flood-attack-threshold #Set UDP Flood Attack Threshold (UDP Packets / Sec).
flood-block-timeout #Set UDP Flood Attack Blocking Time (Sec).
flood-protected-dest-list #Set UDP flood attack protected destination list.
flood-protection #Enable UDP flood protection.

For ICMP Flood Protection Option

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

Configuring UDP Flood Protection(GUI)

Login to the SonicWall management GUI.
Navigate toFirewall Settings | Flood Protection page.
Under UDP Flood Protection, enable checkbox Enable UDP Flood Protection.
The following settings configure UDP Flood Protection.
- UDP Flood Attack Threshold (UDP Packets / Sec): The rate of UDP packets per second sent to a host, range or subnet that triggers UDP Flood Protection. The Threshold must be set carefully as too small a threshold may affect unintended traffic and too large a threshold may not effectively protect from an attack. The default value is 1000.
- UDP Flood Attack Blocking Time (Sec): After the appliance detects the rate of UDP packets exceeding the attack threshold for this duration of time, UDP Flood protection is activated, and the appliance will begin dropping subsequent UDP packets.
- UDP Flood Attack Protected Destination List: The destination address object or address group that will be protected from UDP Flood attack. If the destination target is random, set this field to Any.
ClickAccept.
The following log messages will be generated when SonicWall detects a UDP Flood attack. The logs can be filtered by Category Firewall Settings and Group Flood Protection.

Configuring UDP Flood Protection(CLI)

Login to the CLI.
Enter Configuration mode.
Enter the following commands to enable UDP Flood protection.

config(C0xxxxxxxx38)# udp (config-udp)# flood-protection (config-udp)# commit best-effort (config-udp)# exit

To disable UDP Flood Protection (config-udp)# no flood-protection (config-udp)# commit best-effort
Additional options in the UDP prompt

default-connection-timeout #Set default UDP connection timeout in minutes.
flood-attack-threshold #Set UDP Flood Attack Threshold (UDP Packets / Sec).
flood-block-timeout #Set UDP Flood Attack Blocking Time (Sec).
flood-protected-dest-list #Set UDP flood attack protected destination list.
flood-protection #Enable UDP flood protection.

Configuring ICMP Flood Protection

Login to the SonicWall management GUI.
Navigate toFirewall Settings | Flood Protection page.
Under ICMP Flood Protection, enable checkbox Enable ICMP Flood Protection.
The following settings configure ICMP Flood Protection.
- ICMP Flood Attack Threshold (ICMP Packets / Sec) The rate of ICMP packets per second sent to a host, range or subnet that triggers ICMP Flood protection. The Threshold must be set carefully as too small a threshold may affect unintented traffic and too large a threshold may not effectively protect from an attack. The default value is 200.
- ICMP Flood Attack Blocking Time (Sec) After the appliance detects the rate of ICMP packets exceeding the attack threshold for this duration of time, ICMP Flood protection is activated, and the appliance will begin dropping subsequent ICMP packets.
- ICMP Flood Attack Protected Destination List The destination address object or address group that will be protected from ICMP Flood attack.
ClickAccept at the top.
The following log messages will be generated when SonicWall detects a ICMP Flood Attack. The logs can be filtered by Category Firewall Settings and Group Flood protection.

UDP Traffic Statistics

The UDP Traffic Statistics table provides statistics on the following:

Connections Opened Incremented when a UDP connection initiator sends a SYN, or a UDP connection responder receives a SYN.
Connections Closed Incremented when a UDP connection is closed when both the initiator and the responder have sent a FIN and received an ACK.
Total UDP Packets Incremented with every processed UDP packet.
Validated Packets Passed Incremented under the following conditions.
- When a UDP packet passes checksum validation (while UDP checksum validation is enabled).
- When a valid SYN packet is encountered (while SYN Flood protection is enabled).
- When a SYN Cookie is successfully validated on a packet with the ACK flag set (while SYN Flood protection is enabled).
Malformed Packets Dropped - Incremented under the following conditions:
- When UDP checksum fails validation (while UDP checksum validation is enabled).
- When the UDP SACKpermitted (Selective Acknowledgment, see RFC1072) option is encountered, but the calculated option length is incorrect.
- When the UDP MSS (Maximum Segment Size) option is encountered, but the calculated option length is incorrect.
- When the UDP SACK option data is calculated to be either less than the minimum of 6 bytes, or modulo incongruent to the block size of 4 bytes.
- When the UDP option length is determined to be invalid.
- When the UDP header length is calculated to be less than the minimum of 20 bytes.
- When the UDP header length is calculated to be greater than the packet's data length.
UDP Floods In Progress The number of individual forwarding devices that are currently exceeding the UDP Flood attack Threshold.
Total UDP Floods Detected The total number of events in which a forwarding device has exceeded the UDP Flood attack Threshold
Total UDP Flood Packets Rejected The total number of packets dropped because of UDP Flood attack detection.

ICMP Traffic Statistics

The ICMP traffic statistics table provides the same categories of information as the UDP traffic statistics above.

How can I enable Enhanced Audit Logging Support?
How do I configure 2FA for SSL VPN with TOTP?
No 2FA Prompt for accessing Management Console using GVC.

Was This Article Helpful?

YES NO

UDP and ICMP Flood Protection | SonicWall (2024)

FAQs

What is ICMP and UDP flood? ›

Description. UDP and ICMP Flood attacks are a type of denial-of-service (DoS) attack. They are initiated by sending a large number of UDP or ICMP packets to a remote host.

See Details ›

Can UDP packets be used in flooding attacks? ›

A UDP flood is a form of volumetric Denial-of-Service (DoS) attack where the attacker targets and overwhelms random ports on the host with IP packets containing User Datagram Protocol (UDP) packets. In this type of attack, the host looks for applications associated with these datagrams.

Find Out More ›

What is UDP flood attack filtering? ›

“UDP flood” is a type of Denial of Service (DoS) attack in which the attacker overwhelms random ports on the targeted host with IP packets containing UDP datagrams. The receiving host checks for applications associated with these datagrams and—finding none—sends back a “Destination Unreachable” packet.

Discover More Details ›

How is a UDP flood attack mitigated? ›

At the most fundamental level, most functioning systems attempt to mitigate UDP flood attacks by slowing down ICMP responses. However, such indiscriminate segregation will have an impact on legitimate traffic. In general, UDP relief strategies relied on firewalls to sift through or stop malicious UDP packets.

Tell Me More ›

What is ICMP used for? ›

The Internet Control Message Protocol (ICMP) is a protocol that devices within a network use to communicate problems with data transmission. In this ICMP definition, one of the primary ways in which ICMP is used is to determine if data is getting to its destination and at the right time.

Find Out More ›

What is difference between UDP and TCP? ›

TCP is a connection-oriented protocol, whereas UDP is a connectionless protocol. A key difference between TCP and UDP is speed, as TCP is comparatively slower than UDP. Overall, UDP is a much faster, simpler, and efficient protocol, however, retransmission of lost data packets is only possible with TCP.

View Details ›

What is ICMP flood? ›

Ping flood, also known as ICMP flood, is a common Denial of Service (DoS) attack in which an attacker takes down a victim's computer by overwhelming it with ICMP echo requests, also known as pings.

View Details ›

Are DDoS attacks TCP or UDP? ›

The most common DDoS method by far is the UDP flood – the acronym UDP meaning User Datagram Protocol. Normally, it forms a part of the internet communication similar to the more commonly known TCP.

Know More ›

What is UDP storm? ›

A UDP flood attack is a volumetric denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol. Using UDP for denial-of-service attacks is not as straightforward as with the Transmission Control Protocol (TCP).

Show Me More ›

What is UDP amplification attack? ›

Overview. A distributed reflective denial-of-service (DRDoS) is a form of distributed denial-of-service (DDoS) attack that relies on publicly accessible UDP servers and bandwidth amplification factors (BAFs) to overwhelm a victim's system with UDP traffic.

Learn More ›

How do you stop UDP flood attacks in FortiGate? ›

When the amount of traffic of a flood is really high, the only option to stop it is to request your ISP or ask the administrator of the upstream router, to configure a black-hole router to the IP attacked that will prevent the transfer of this traffic to the FortiGate interface.

Find Out More ›

What is UDP ping pong attack? ›

UDP Flood (Ping-Pong) Attack. • UDP flood attack takes advantage of the chargen and echo ports, which is used legitimately to test hosts and networks. • Attacker sends a malformed UDP packet to chargen port (19) of host A, with source address of host B and source port as echo (7).

View Details ›

How does ICMP flood work? ›

Ping floods or ICMP flood attack is a denial-of-service attack that restricts legitimate access to devices on a network. Such an attack works by overwhelming the victim device with ICMP request (ping) commands over the network, making it impossible for the victim to send ICMP responses in time.

Read On ›

How is ICMP used in DDoS attacks? ›

The DDoS form of a Ping (ICMP) Flood can be broken down into 2 repeating steps: The attacker sends many ICMP echo request packets to the targeted server using multiple devices. The targeted server then sends an ICMP echo reply packet to each requesting device's IP address as a response.

Discover More Details ›

What is ICMP port? ›

ICMP has no concept of ports, as TCP and UDP do, but instead uses types and codes. Commonly used ICMP types are echo request and echo reply (used for ping) and time to live exceeded in transit (used for traceroute).

What is ICMP spoofing? ›

ICMP Ping Spoofing Attack

Victim's source IP is spoofed to send a ping to server from Attacker. As the source IP is spoofed server takes is as a original IP and hence ping reply is sent to victim instead of attacker who send the actual ping request.

Learn More ›

UDP and ICMP Flood Protection | SonicWall (2024)

Description

Resolution

Resolution for SonicOS 6.2 and Below

Related Articles

Categories

Was This Article Helpful?

FAQs

What is ICMP and UDP flood? ›

How do you stop UDP flood attacks in FortiGate? ›