Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1764
Views
0
Helpful
3
Replies

RVS4000 ...IPS ....DDOS_TYPE_UDP_FLOOD

witness34
Level 1
Level 1

‎01-30-2012 09:19 PM

Can anyone help with this? we found when client's use our game servers the router ips reports DDOS_TYPE_UDP_FLOOD here some of what we are seeing and some time our own lan ip sometime show's up in the list we host gaming servers and teamspeaks servers

1 2012-01-30 18:26:41 DDOS_TYPE_UDP_FLOOD 186.82.86.23

2 2012-01-30 18:26:40 DDOS_TYPE_UDP_FLOOD 186.30.169.152

3 2012-01-30 18:26:39 DDOS_TYPE_UDP_FLOOD 69.171.166.204

4 2012-01-30 18:26:38 DDOS_TYPE_UDP_FLOOD 201.184.106.177

5 2012-01-30 18:26:37 DDOS_TYPE_UDP_FLOOD 50.52.168.176

6 2012-01-30 18:26:36 DDOS_TYPE_UDP_FLOOD 24.89.59.53

7 2012-01-30 18:26:35 DDOS_TYPE_UDP_FLOOD 50.52.168.176

8 2012-01-30 18:26:34 DDOS_TYPE_UDP_FLOOD 186.30.169.152

will this damage anything or is this ok with the amount of traffic we are seeing some time up to 300 on a report per day everything is working fine

would like to stop it if it can be done Thanks Robert

Labels:
0 Helpful
3 Replies 3

AJ Cohen
Level 1
Level 1

‎02-01-2012 12:00 PM

Robert, I'm not an expert in this area, but IPS is detecting these UDP datagrams as an attack.  I take it that these hits are from your game customers.  If nothing else, it will definitely be a performance hit because your router is busy handling these instead of ignoring them.

You have to determine if it is safe to turn off IPS (do you have back-end firewall security?), and additionally, if you use it, make sure you have the latest version, which I believe is 1.50.  Look in the information section under IPS on your router for the version #.

I hope this helps.

0 Helpful

witness34
Level 1
Level 1
In response to AJ Cohen

‎02-01-2012 04:34 PM

Thank you  AJ for the help we turn off ips and everything is working good  we are running Signature Version: 1.42  Firmware Version: V2.0.2.7 we are a non profit we supply servers to over 800 kid's through out the world all free services we are new to all this.... how do we update to 1.50 and a link to download it .....

0 Helpful

AJ Cohen
Level 1
Level 1
In response to witness34

‎02-01-2012 05:12 PM

Hi Robert.

You're welcome, and I think what you are doing for the kids is great.

The 1.50 download is here in Cisco's support area.  It is a little hard to navigate to, but once you get there, just download the zip file and extract the 2 files that are in it.  Read the readme file and then use the IPS menu on the router to navigate to the file and update the signatures that it describes to block attackers.

If you can't find it, google "RVS4000_WRVS4400N_IPS_Signature_v1.50.zip"

Once you install it, check the log to see if it is still triggering against these (it probably will because there are so many simultaneous UDP packets from different IPs.).  There may be a way in the Firewall portion of the router to enable these UDP connections, but that kindof bypasses the concept of IPS.  It is going to be a decision for you to make, whether to keep it enabled or not.  If you have a good firewall on your server(s) behind the router, then you can probably disable it, but my feeling is it is best to stop intruders at the front gate, not at the kitchen door.  In this case, you don't really know for sure if they are friend or foe when they are at that front gate, so you have to let them in the house, otherwise the IPS "alarm" will keep going off.

For now, I'd say give the update a shot.  You have nothing to lose and you can always turn it off later.

If you still can't find it, get it, or otherwise have a problem, just reply and I'll be more than glad to help.

I am a sw engineer, the original author of Computer Associates CA-Unicenter Security, and not affiliated with Cisco other than I have several of these routers.

-AJ

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents