RVS4000 IPS & OnLive

Answered Question
Jul 23rd, 2010

When using OnLive with the IPS feature of the RVS4000 enabled, I receive many "DDOS_TYPE_UDP_FLOOD" messages in my IPS log.

I can't tell if this is a false positive or what but I can not use OnLive when the IPS feature is enabled because of all the skipping (I attribute to IPS blocking).

I have this problem too.
0 votes
Correct Answer by jagor about 6 years 6 months ago

If you are just getting these alerts whenever running OnLive, it most likely is a false positive. The IPS module
might be detection too many UDP packets at once as an attack on the router and stopping the traffic, resulting in stopping OnLive.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
jagor Mon, 07/26/2010 - 11:26

If you are just getting these alerts whenever running OnLive, it most likely is a false positive. The IPS module
might be detection too many UDP packets at once as an attack on the router and stopping the traffic, resulting in stopping OnLive.

FratianiD Mon, 07/26/2010 - 11:30

That was my guess.

I think a new IPS signature is in order...

Could you report this so it will hopefully be addressed?

jagor Mon, 07/26/2010 - 11:32

I can definitely raise this issue to the appropriate people.

jagor Tue, 07/27/2010 - 08:06

The developers have responded that the UDP flood alert is actually not generated by the IPS module at all. It is most likely coming from the firewall module instead. Can you help pinpoint this by leaving IPS on, disabling "DoS Protection" under Firewall and running OnLive? Also, what firmware version are you running on your RVS4000? Thanks.

FratianiD Tue, 07/27/2010 - 09:05

I will test that setup when I get home.

I'm running firmware v1.3.2.0

Thank you for your continued support, I really appreciate it.

FratianiD Tue, 07/27/2010 - 16:41

Silky smooth with out the DoS option in the firewall module.

Nothing logged either.

Hope this can be fixed so that I can re-enable this feature soon.

Actions

This Discussion