Umbrella Virtual Appliances and UDP Flood Attacks

JohnSJohnS
in Firebox - Other

Looking to see if there's a solution to this: We are provided with DNS filtering for on-site and off-site web access through Umbrella. To do this, on-site, we have Umbrella's Virtual Appliances. We have to go through the appliances to filter by local IP or AD Users). We've got about 12 appliances spread out across our network. Originally, we had two, and we were getting UDP flood attacks on the servers, I assumed because we didn't have enough. We upped the limit to 7000, spread it out to 12 servers instead of 2, and the problems dissipated, mostly. We would still have some random issues, but now, it was the Virtual Appliances flooding out our internet connection back to Umbrella's servers (4 server IPs). We've turned off the UDP flood attack prevention, and in our environment, I'm not too concerned about it... Still, is there a proper way to handle local DNS servers that do a large amount of UDP traffic? Or is disabling the Flood Protection the normal response? Still learning the system, and this is the biggest hiccup we've had so far. Thanks!

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @JohnS
    All of the default threat protection defaults are just a best guess as to what network traffic is normal on a network.

    -If the issue is definitely with the threshold(s) and they seem out of whack for that network, I usually start by doubling or tripling the numbers on the policies that are being tripped, and then slowly bring the number down.

    -If the issue is just with one or a small handful of trusted hosts, you can add the IPs to the blocked sites exception list; This will exempt that IP from most items in Default Threat Protection.

    See:
    (Create Blocked Sites Exceptions)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/intrusionprevention/blocked_sites_create_exceptions_c.html

    -James Carson
    WatchGuard Customer Support

  • JohnSJohnS
    edited May 19

    @james.carson Hmm.. Well, we have those sites listed as blocked site exceptions already, but it doesn't seem to affect the UDP Flood attack action. It is just a handful of servers that we're sending DNS queries to, so if that was the case, that would be wonderful. It just doesn't seem like those exceptions affect that.

    Though, would it be the destination that needs to be a blocked site exception? Or the server sending the request? We don't have all the local DNS appliances listed as exceptions, just the Cisco Umbrella Cloud Servers. I may have that backwards in my mind.

    It's not a huge deal that it's disabled, just one of those protections that would be nice to enable.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @JohnS
    Whichever IP is the one triggering the protection. It'll be the first IP shown the the deny log for UDP flooding.

    In a DNS situation, that would likely be the DNS Clients (probably the umbrella clients) calling out to their servers on the internet. So probably the internal private IP.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.