Hi,

Hopefully someone can shed some light.

Increasingly, over the last few months i have been getting many reports via email (from my draytek 2930VN which i have configure to send me a mail when it blocks anything) of the below 'attacks':

[DOS][Block][udp_flood, timeout=10][81.187.87.222:58751->81.187.87.222:59713][UDP][HLen=20, TLen=1466]

The rate i revieve them is about 1 every minute, not 27/7 but most of the time. It can be reported for days without stopping then stops for a day or so and returns.

I may be missing something but the ipaddress is often the same, most of the time it is my own, and other times it's the smart host linked to my exchange server.
I would understand if the ipaddress was random but as its my own i appear to be 'attacking' myself??

i have a standard network environment, Exchange sever + DC with DHCP and DNS + a few PCs - Draytek is the gateway and set to relay DHCP requests to the DHCP server. The draytek also handles the VPN but DNS is set to forward requests to the DC (DNS) server.

Any information to help would be appreciated

Under the DoS defense settings you should just up the threshold value for the UDP fllod defence.

Basically there are too many UDP packets being sent to the router, this can be due to an attack but in this case it is for legitimate reasons. Upping the threshold should still protect you from a dedicated attack but will stop your legitimate traffic from triggering the firewall.