Hi there

Could anyone confirm my suspicions... getting masses of entries like this in the SYSLOG of the company Draytek 3910 Firewall

"2025-01-03 20:54:10", "[FILTER][Pass][WAN->LAN/RT/VPN, 24:49:13    ][@S:R=51:1, 38.46.8.165:7621->192.168.254.248:3283][UDP][HLen=20, TLen=32]"
"2025-01-03 20:54:10", "Virtual Server: 38.46.8.165:7621 -> 192.168.254.248:3283 (UDP)"
"2025-01-03 20:54:10", "[FILTER][Pass][WAN->LAN/RT/VPN, 24:49:13    ][@S:R=51:1, 38.46.8.165:13419->192.168.254.248:3283][UDP][HLen=20, TLen=32]"
"2025-01-03 20:54:10", "Virtual Server: 38.46.8.165:13419 -> 192.168.254.248:3283 (UDP)"
"2025-01-03 20:54:10", "[FILTER][Pass][WAN->LAN/RT/VPN, 24:49:13    ][@S:R=51:1, 154.197.16.88:44560->192.168.254.248:3283][UDP][HLen=20, TLen=32]"
"2025-01-03 20:54:10", "Virtual Server: 154.197.16.88:44560 -> 192.168.254.248:3283 (UDP)"

The CPU usage goes up in to the >70% region and the internet and other services become unresponsive.
I've shut down port 3283 now and CPU usage seems to have settled back to <21% but occasionally bounces around a little higher.

Also, before shutting the 3283 port down, simply pulling the plug to the main internet connection and letting the firewall 'failover' to the mobile broadband connection seems to sort the problem too.

It really felt like a DDoS attack to me?

Some guidance would be much appreciated. Many thanks in advance.
 

Doing a quick IP check on the first one shows the IP to be United states then suddenly China pops up in the list.
The last ip shows hong kong then that suddenly jumps to Seychelles wierd.

Are you running any servers on your network?

No, I have shut down all the ports that were open to the outside world now. 3283 was open for some remote testing. It seems to have got better now but still experiencing weird issues.

Can I block port 3283 being passed at all?