Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

RVS4000 ...IPS ....DDOS_TYPE_UDP_FLOOD

Can anyone help with this? we found when client's use our game servers the router ips reports DDOS_TYPE_UDP_FLOOD here some of what we are seeing and some time our own lan ip sometime show's up in the list we host gaming servers and teamspeaks servers

1 2012-01-30 18:26:41 DDOS_TYPE_UDP_FLOOD 186.82.86.23

2 2012-01-30 18:26:40 DDOS_TYPE_UDP_FLOOD 186.30.169.152

3 2012-01-30 18:26:39 DDOS_TYPE_UDP_FLOOD 69.171.166.204

4 2012-01-30 18:26:38 DDOS_TYPE_UDP_FLOOD 201.184.106.177

5 2012-01-30 18:26:37 DDOS_TYPE_UDP_FLOOD 50.52.168.176

6 2012-01-30 18:26:36 DDOS_TYPE_UDP_FLOOD 24.89.59.53

7 2012-01-30 18:26:35 DDOS_TYPE_UDP_FLOOD 50.52.168.176

8 2012-01-30 18:26:34 DDOS_TYPE_UDP_FLOOD 186.30.169.152

will this damage anything or is this ok with the amount of traffic we are seeing some time up to 300 on a report per day everything is working fine

would like to stop it if it can be done Thanks Robert

3 REPLIES
New Member

RVS4000 ...IPS ....DDOS_TYPE_UDP_FLOOD

Robert, I'm not an expert in this area, but IPS is detecting these UDP datagrams as an attack.  I take it that these hits are from your game customers.  If nothing else, it will definitely be a performance hit because your router is busy handling these instead of ignoring them.

You have to determine if it is safe to turn off IPS (do you have back-end firewall security?), and additionally, if you use it, make sure you have the latest version, which I believe is 1.50.  Look in the information section under IPS on your router for the version #.

I hope this helps.

New Member

RVS4000 ...IPS ....DDOS_TYPE_UDP_FLOOD

Thank you  AJ for the help we turn off ips and everything is working good  we are running Signature Version: 1.42  Firmware Version: V2.0.2.7 we are a non profit we supply servers to over 800 kid's through out the world all free services we are new to all this.... how do we update to 1.50 and a link to download it .....

New Member

RVS4000 ...IPS ....DDOS_TYPE_UDP_FLOOD

Hi Robert.

You're welcome, and I think what you are doing for the kids is great.

The 1.50 download is here in Cisco's support area.  It is a little hard to navigate to, but once you get there, just download the zip file and extract the 2 files that are in it.  Read the readme file and then use the IPS menu on the router to navigate to the file and update the signatures that it describes to block attackers.

If you can't find it, google "RVS4000_WRVS4400N_IPS_Signature_v1.50.zip"

Once you install it, check the log to see if it is still triggering against these (it probably will because there are so many simultaneous UDP packets from different IPs.).  There may be a way in the Firewall portion of the router to enable these UDP connections, but that kindof bypasses the concept of IPS.  It is going to be a decision for you to make, whether to keep it enabled or not.  If you have a good firewall on your server(s) behind the router, then you can probably disable it, but my feeling is it is best to stop intruders at the front gate, not at the kitchen door.  In this case, you don't really know for sure if they are friend or foe when they are at that front gate, so you have to let them in the house, otherwise the IPS "alarm" will keep going off.

For now, I'd say give the update a shot.  You have nothing to lose and you can always turn it off later.

If you still can't find it, get it, or otherwise have a problem, just reply and I'll be more than glad to help.

I am a sw engineer, the original author of Computer Associates CA-Unicenter Security, and not affiliated with Cisco other than I have several of these routers.

-AJ

1247
Views
0
Helpful
3
Replies