RVS4000 IPS & OnLive

Answered Question
Jul 23rd, 2010
User Badges:

When using OnLive with the IPS feature of the RVS4000 enabled, I receive many "DDOS_TYPE_UDP_FLOOD" messages in my IPS log.

I can't tell if this is a false positive or what but I can not use OnLive when the IPS feature is enabled because of all the skipping (I attribute to IPS blocking).

Correct Answer by jagor about 6 years 11 months ago

If you are just getting these alerts whenever running OnLive, it most likely is a false positive. The IPS module
might be detection too many UDP packets at once as an attack on the router and stopping the traffic, resulting in stopping OnLive.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
jagor Mon, 07/26/2010 - 11:26
User Badges:

If you are just getting these alerts whenever running OnLive, it most likely is a false positive. The IPS module
might be detection too many UDP packets at once as an attack on the router and stopping the traffic, resulting in stopping OnLive.

FratianiD Mon, 07/26/2010 - 11:30
User Badges:

That was my guess.


I think a new IPS signature is in order...

Could you report this so it will hopefully be addressed?

jagor Mon, 07/26/2010 - 11:32
User Badges:

I can definitely raise this issue to the appropriate people.

jagor Tue, 07/27/2010 - 08:06
User Badges:

The developers have responded that the UDP flood alert is actually not generated by the IPS module at all. It is most likely coming from the firewall module instead. Can you help pinpoint this by leaving IPS on, disabling "DoS Protection" under Firewall and running OnLive? Also, what firmware version are you running on your RVS4000? Thanks.

FratianiD Tue, 07/27/2010 - 09:05
User Badges:

I will test that setup when I get home.

I'm running firmware v1.3.2.0


Thank you for your continued support, I really appreciate it.

FratianiD Tue, 07/27/2010 - 16:41
User Badges:

Silky smooth with out the DoS option in the firewall module.


Nothing logged either.


Hope this can be fixed so that I can re-enable this feature soon.

Actions

This Discussion