UDP Flooding on Cisco 1810 router

We are noticing lot of UDP packets on our Cisco 1810 router. This has choked our internet circuit at 100% utilization.

We  were able to find the Source IP address from where these packet are  coming and have denied access to the Source IP through an access list.

We  are seeing that the access-list is blocking that IP , but the has not  stopped the sender from sending the packet to our router and the router  interface is still experiencing high UDP packet from this IP address.

Any advice or help will be really appreciated.



rcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes

Fa1     Fa0   11 6634 0035   931M


There are 3 top talkers:

IPV4 PROT       bytes        pkts       flows

=========  ==========  ==========  ==========

      17   840413708    19544032         141

        1      295379        4416           7

        6      967448        1797         109


Extended IP access list 123

    10 deny ip host any (3844997990 matches)

    11 deny udp host any

    20 permit ip any any (219799308 matches)


FastEthernet1 is up, line protocol is up

  Hardware is PQ3_TSEC, address is xxxx

  Internet address is 21xxxxxxxxx/xx

  MTU 1500 bytes, BW 15000 Kbit, DLY 100 usec,

     reliability 255/255, txload 21/255, rxload 228/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s, 100BaseTX/FX

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:00, output 00:00:00, output hang never

  Last clearing of "show interface" counters 4d01h

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 13465000 bits/sec, 23375 packets/sec

  5 minute output rate 1256000 bits/sec, 631 packets/sec

     4157523768 packets input, 1494788431 bytes

     Received 293 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog

     0 input packets with dribble condition detected

     96471423 packets output, 3912578832 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier

     0 output buffer failures, 0 output buffers swapped out


interface FastEthernet1

description WAN to Internet

bandwidth 15000


ip access-group 123 in

ip flow ingress

ip virtual-reassembly

speed 100


Naturally you are able to block the traffic but it will still consume your WAN links bandwith.

I would suggest perhaps contacting your ISP for help with this

RIPE gives the following information related to the public source IP address you are seeing

inetnum: -
netname:        LEASEWEB
descr:          LeaseWeb
descr:          P.O. Box 93054
descr:          1090BB AMSTERDAM
descr:          Netherlands
remarks:        Please send email to "" for complaints
remarks:        regarding portscans, DoS attacks and spam.
remarks:        INFRA-AW
country:        NL
admin-c:        LSW1-RIPE
tech-c:         LSW1-RIPE
status:         ASSIGNED PA
mnt-by:         OCOM-MNT
source:         RIPE #Filtered

There is also a contact email above. Maybe you could try that out also.

- Jouni

