DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

3910 - UDP Flood

  • macximum
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
03 Jan 2025 21:24 - 03 Jan 2025 21:38 #104395 by macximum
3910 - UDP Flood was created by macximum
Hi there

Could anyone confirm my suspicions... getting masses of entries like this in the SYSLOG of the company Draytek 3910 Firewall

"2025-01-03 20:54:10", "[FILTER][Pass][WAN->LAN/RT/VPN, 24:49:13    ][@S:R=51:1, 38.46.8.165:7621->192.168.254.248:3283][UDP][HLen=20, TLen=32]"
"2025-01-03 20:54:10", "Virtual Server: 38.46.8.165:7621 -> 192.168.254.248:3283 (UDP)"
"2025-01-03 20:54:10", "[FILTER][Pass][WAN->LAN/RT/VPN, 24:49:13    ][@S:R=51:1, 38.46.8.165:13419->192.168.254.248:3283][UDP][HLen=20, TLen=32]"
"2025-01-03 20:54:10", "Virtual Server: 38.46.8.165:13419 -> 192.168.254.248:3283 (UDP)"
"2025-01-03 20:54:10", "[FILTER][Pass][WAN->LAN/RT/VPN, 24:49:13    ][@S:R=51:1, 154.197.16.88:44560->192.168.254.248:3283][UDP][HLen=20, TLen=32]"
"2025-01-03 20:54:10", "Virtual Server: 154.197.16.88:44560 -> 192.168.254.248:3283 (UDP)"

The CPU usage goes up in to the >70% region and the internet and other services become unresponsive.
I've shut down port 3283 now and CPU usage seems to have settled back to <21% but occasionally bounces around a little higher.

Also, before shutting the 3283 port down, simply pulling the plug to the main internet connection and letting the firewall 'failover' to the mobile broadband connection seems to sort the problem too.

It really felt like a DDoS attack to me?

Some guidance would be much appreciated. Many thanks in advance.
 
Last edit: 03 Jan 2025 21:38 by macximum.

Please Log in or Create an account to join the conversation.

More
06 Jan 2025 21:13 #104408 by the_pit
Replied by the_pit on topic 3910 - UDP Flood
Doing a quick IP check on the first one shows the IP to be United states then suddenly China pops up in the list.
The last ip shows hong kong then that suddenly jumps to Seychelles wierd.

Are you running any servers on your network?

Please Log in or Create an account to join the conversation.

  • macximum
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
07 Jan 2025 13:10 #104416 by macximum
Replied by macximum on topic 3910 - UDP Flood
No, I have shut down all the ports that were open to the outside world now. 3283 was open for some remote testing. It seems to have got better now but still experiencing weird issues.

Can I block port 3283 being passed at all?

Please Log in or Create an account to join the conversation.

  • macximum
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
07 Feb 2025 14:02 - 07 Feb 2025 14:05 #104562 by macximum
Replied by macximum on topic 3910 - UDP Flood
Still struggling with this 3910 Firewall on the current firmware and Draytek Support have failed to get back to me numerous times despite promises over the phone.
I was even told there is a beta firmware I could try, I've sent them SysLogs, but no response whatsoever... I have no idea what is going on with them! Rapidly loosing confidence!

Can anyone decipher the following? Are they an attack?

I have NO users that are currently in the USA, and I keep getting these pop up in the Firewall SysLogs, sometimes the Firewall falls over at around this time too and sort of reboots itself, LAN keeps working but WAN dies for a few seconds...

2025-02-07 02:42:46 ## IKEv2 DBG : IKESA inI1_outR1 : Responding IKE SA to [US🇺🇸]: 199.45.155.83
2025-02-07 02:42:46 ## IKEv2 DBG : IKESA inI1_outR1 : Create IKE SA #848
2025-02-07 02:42:46 ## IKEv2 DBG : Recv IKEv2_SA_INIT[34] Request msgid 0 from [US🇺🇸]: 199.45.155.83, Peer is IKEv2 Initiator
2025-02-07 02:42:46 Matching General Setup key for dynamic ip client...
2025-02-07 02:42:46 Accept Phase1 proposals : ENCR OAKLEY_3DES_CBC, HASH OAKLEY_SHA
2025-02-07 02:42:46 #847 peer requested phase1 lifetime 256 seconds which is out of range, will use 28800 seconds
2025-02-07 02:42:46 #847 peer requested phase1 lifetime 256 seconds which is out of range, will use 28800 seconds
2025-02-07 02:42:46 #847 peer requested phase1 lifetime 256 seconds which is out of range, will use 28800 seconds
2025-02-07 02:42:46 #847 peer requested phase1 lifetime 256 seconds which is out of range, will use 28800 seconds
2025-02-07 02:42:46 #847 peer requested phase1 lifetime 256 seconds which is out of range, will use 28800 seconds
2025-02-07 02:42:46 #847 peer requested phase1 lifetime 256 seconds which is out of range, will use 28800 seconds
2025-02-07 02:42:46 #847 peer requested phase1 lifetime 256 seconds which is out of range, will use 28800 seconds
2025-02-07 02:42:46 #847 peer requested phase1 lifetime 256 seconds which is out of range, will use 28800 seconds
2025-02-07 02:42:46 Responding to Main Mode from [US🇺🇸]: 199.45.155.83
2025-02-07 02:42:42 ## IKEv2 DBG : IKESA inI1_outR1 : Responding IKE SA to [US🇺🇸]: 199.45.154.182
2025-02-07 02:42:42 ## IKEv2 DBG : IKESA inI1_outR1 : Create IKE SA #846
2025-02-07 02:42:42 ## IKEv2 DBG : Recv IKEv2_SA_INIT[34] Request msgid 0 from [US🇺🇸]: 199.45.154.182, Peer is IKEv2 Initiator
Last edit: 07 Feb 2025 14:05 by macximum.

Please Log in or Create an account to join the conversation.

More
18 Feb 2025 18:54 #104605 by the_pit
Replied by the_pit on topic 3910 - UDP Flood
Are you running a vpn server by any chance?

Please Log in or Create an account to join the conversation.

  • macximum
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
18 Feb 2025 19:04 #104606 by macximum
Replied by macximum on topic 3910 - UDP Flood
Yes, and I have a few VPN users but none that are abroad, all UK based.

Please Log in or Create an account to join the conversation.

Moderators: Chris