Got it
Huawei Enterprise Support Community
Community Forums Security
HELP FOR VIRUS AttackType...

HELP FOR VIRUS AttackType:UDPLIMIT and AttackType="udp bandwidth-limit ,AttackType="ICMP unreachable attack

Created: Oct 28, 2020 12:30:45Latest reply: Oct 29, 2020 09:12:33 572 10 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

Hi everyone,My company's network system is suffering from these 2 viruses, do you have any solutions to help me solve?

1

2

topogize


Attachment: You need to log in to download or view. No account? Register
physical firewall

Like (0) Dislike (0) Favorite(0) Share Report
Previous: How to allow users to log in under a specified security group
Next: [Dr. WoW Season 2] [No 2] NGFW Functions
Featured Answers

Recommended answer

(0) (0)
chenhui
Admin Created Oct 29, 2020 09:12:33

Hi AndyDuoc,
I checked the logs you uploaded, as you can see from the logs, the ICMP unreachable attack source is internal IP, and destination IP is external IP, what should pay attenation to is the total packets field, almost all the ICMP unreachable attack total packets field value is very low, which doesn't match the attacking behavior(usually massive attack packets).
Instead of the ICMP unreachable attack logs, you should pay attenation to the udp bandwidth-limit attack logs. As the log below shows, firewall receives over 900 packets in a short time.
(#Oct 26 2020 11:45:58+07:00 FW-1 %ATK/4/FIREWALLATCK(l)[41]:AttackType="udp bandwidth-limit", slot=" ", cpu="0", receive interface="GE1/0/4 ", proto="UDP", ip="113.171.212.77:443->192.168.39.22:64389", begin time=2020/10/26 11:45:29, end time=2020/10/26 11:45:34, total packets="913", max speed="53705", Action="discard".)
You can refer the @DDSN's answer to configure the UDP flood attack defense.
View more
  • x
  • convention:

AndyDuoc
AndyDuoc Created Oct 29, 2020 13:50:16 (0) (0)
thank you very much !  
AndyDuoc
AndyDuoc Created Oct 29, 2020 13:50:56 (0) (0)
But do you think is that virus ?  
DDSN
DDSN Reply AndyDuoc  Created Oct 29, 2020 14:16:14 (0) (0)
Hi AndyDuoc,
It's probably not a virus.  
AndyDuoc
AndyDuoc Reply DDSN  Created Oct 30, 2020 13:55:01 (0) (0)
So what is that ? that is real ddos,because i see mostly source packet from internal,i thought that is Virus  
All Answers
(0) (0)
2#
DDSN
DDSN Admin Created Oct 28, 2020 12:31:44

Hi AndyDuoc,
Please wait patiently. Our engineers are looking for answers to your questions.
View more
  • x
  • convention:
(0) (0)
3#
DDSN
DDSN Admin Created Oct 28, 2020 12:52:30

Hi AndyDuoc, 

For the ICMP unreachable attack, you can try to run the firewall defend icmp-unreachable enable command in the system view to enable defense against ICMP unreachable packet attacks.

For the udp bandwidth-limit, you can try to configure UDP flood attack defense, please refer to https://support.huawei.com/hedex/hdx.do?docid=EDOC1100122846&id=EN-US_TASK_0178924075&lang=en

I hope it helps!


View more
  • x
  • convention:
(0) (0)
4#
AndyDuoc
AndyDuoc Created Oct 28, 2020 13:08:52

Thank you,But i think this problem in the internal network? Are our computers infected with viruses?i have log file but i don't know how to upload
View more
  • x
  • convention:
(0) (0)
5#
Hobbit
Hobbit Created Oct 28, 2020 13:33:14

Posted by AndyDuoc at 2020-10-28 13:08 Thank you,But i think this problem in the internal network? Are our computers infected with viruses? ...
You can check whether the attack source is the port connected to the intranet. Check the session records of the firewall to determine the IP address of the attack source.
You can edit the post to upload attachments.
View more
  • x
  • convention:

AndyDuoc
AndyDuoc Created Oct 28, 2020 14:19:22 (0) (0)
attack source is internal,destination is extranet,
i was post log file,could you help me see it again,please thanks  
(0) (0)
6#
chenhui
chenhui Admin Created Oct 29, 2020 09:12:33

Hi AndyDuoc,
I checked the logs you uploaded, as you can see from the logs, the ICMP unreachable attack source is internal IP, and destination IP is external IP, what should pay attenation to is the total packets field, almost all the ICMP unreachable attack total packets field value is very low, which doesn't match the attacking behavior(usually massive attack packets).
Instead of the ICMP unreachable attack logs, you should pay attenation to the udp bandwidth-limit attack logs. As the log below shows, firewall receives over 900 packets in a short time.
(#Oct 26 2020 11:45:58+07:00 FW-1 %ATK/4/FIREWALLATCK(l)[41]:AttackType="udp bandwidth-limit", slot=" ", cpu="0", receive interface="GE1/0/4 ", proto="UDP", ip="113.171.212.77:443->192.168.39.22:64389", begin time=2020/10/26 11:45:29, end time=2020/10/26 11:45:34, total packets="913", max speed="53705", Action="discard".)
You can refer the @DDSN's answer to configure the UDP flood attack defense.
View more
  • x
  • convention:

AndyDuoc
AndyDuoc Created Oct 29, 2020 13:50:16 (0) (0)
thank you very much !  
AndyDuoc
AndyDuoc Created Oct 29, 2020 13:50:56 (0) (0)
But do you think is that virus ?  
DDSN
DDSN Reply AndyDuoc  Created Oct 29, 2020 14:16:14 (0) (0)
Hi AndyDuoc,
It's probably not a virus.  
AndyDuoc
AndyDuoc Reply DDSN  Created Oct 30, 2020 13:55:01 (0) (0)
So what is that ? that is real ddos,because i see mostly source packet from internal,i thought that is Virus  
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.