TCP/UDP Flood
- Ashish Khabde
Analytics
TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidth and resources. They exploit TCP and UDP.
The following table lists the system and auto rules that are used to mitigate TCP/UDP floods on your advanced appliance. For information about the parameters, see Overview of Packet Flow.
| Rule ID | Rule Type | Rule Name | Description | Enable Condition | Parameters | Comments |
|---|---|---|---|---|---|---|
| 130000100 | System | WARN about high rate inbound UDP DNS queries | This rule warns about any source IP that sends inbound UDP DNS packets at a rate equals or exceeds the Packets per second value. | Disabled by default | Packets per second (default = 40) Rate algorithm (default = rate limiting) Events per second (default = 1) | Use this rule together with rule 130000200 to adjust the warning and blocking rate thresholds. This rule only sends alerts when the packet rate equals or exceeds the low threshold (Packets per second for this rule). When the packet rate reaches or exceeds the high threshold (Packets per second for rule 130000200), rule 130000200 is triggered. NOTE: The Packets per second configured for this rule should be less than that of rule 130000200. |
| 130000200 | System | WARN & BLOCK high rate inbound UDP DNS queries | This rule warns if any source IP sends inbound UDP DNS packets at a rate equals the Packets per second value. If the rate exceeds this value, the appliance allows traffic up to the rate limit and then blocks traffic from this source IP for the remainder of the Drop interval. | Disabled by default | Packets per second (default = 1000) Drop interval (default = 5 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators. This rule may be triggered if Packets per second is lower than that in the custom rules created using the rate limiting templates. NOTE: The Packets per second value for this rule must be higher than that for rule 130000100. |
| 130000300 | System | WARN about high rate inbound TCP DNS queries | This rule warns about any source IP that sends inbound TCP DNS packets at a rate that equals or exceeds the Packets per second value. | Disabled by default | Packets per second (default = 5) Rate algorithm (default = rate limiting) Events per second (default = 1) | Use this rule together with rule 130000400 to adjust the warning and blocking rate thresholds. This rule only sends alerts when the packet rate equals or exceeds the low threshold (Packets per second for this rule). When the packet rate reaches or exceeds the high threshold (Packets per second for rule 130000400), rule 130000400 is triggered. NOTE: The Packets per second configured for this rule should be less than that of rule 130000400. |
| 130000400 | System | WARN & BLOCK high rate inbound TCP DNS queries | This rule warns if any source IP sends inbound TCP DNS packets at a rate that equals the Packets per second value. If the rate exceeds this value, the appliance allows traffic up to the rate limit and then blocks traffic from this source IP for the remainder of the Drop interval. | Disabled by default | Packets per second (default = 1000) Drop interval (default = 10 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators. This rule may be triggered if Packets per second is lower than that in the custom rules created using the rate limiting templates. |