Got it

HELP FOR VIRUS AttackType:UDPLIMIT and AttackType="udp bandwidth-limit ,AttackType="ICMP unreachable attack

Created: Oct 28, 2020 12:30:45Latest reply: Oct 29, 2020 09:12:33 572 10 0 0 0
  Rewarded HiCoins: 0 (problem resolved)

Hi everyone,My company's network system is suffering from these 2 viruses, do you have any solutions to help me solve?

1

2

topogize


Attachment: You need to log in to download or view. No account? Register

Featured Answers

Recommended answer

chenhui
Admin Created Oct 29, 2020 09:12:33

Hi AndyDuoc,
I checked the logs you uploaded, as you can see from the logs, the ICMP unreachable attack source is internal IP, and destination IP is external IP, what should pay attenation to is the total packets field, almost all the ICMP unreachable attack total packets field value is very low, which doesn't match the attacking behavior(usually massive attack packets).
Instead of the ICMP unreachable attack logs, you should pay attenation to the udp bandwidth-limit attack logs. As the log below shows, firewall receives over 900 packets in a short time.
(#Oct 26 2020 11:45:58+07:00 FW-1 %ATK/4/FIREWALLATCK(l)[41]:AttackType="udp bandwidth-limit", slot=" ", cpu="0", receive interface="GE1/0/4 ", proto="UDP", ip="113.171.212.77:443->192.168.39.22:64389", begin time=2020/10/26 11:45:29, end time=2020/10/26 11:45:34, total packets="913", max speed="53705", Action="discard".)
You can refer the @DDSN's answer to configure the UDP flood attack defense.
View more
  • x
  • convention:

AndyDuoc
AndyDuoc Created Oct 29, 2020 13:50:16 (0) (0)
thank you very much !  
AndyDuoc
AndyDuoc Created Oct 29, 2020 13:50:56 (0) (0)
But do you think is that virus ?  
DDSN
DDSN Reply AndyDuoc  Created Oct 29, 2020 14:16:14 (0) (0)
Hi AndyDuoc,
It's probably not a virus.  
AndyDuoc
AndyDuoc Reply DDSN  Created Oct 30, 2020 13:55:01 (0) (0)
So what is that ? that is real ddos,because i see mostly source packet from internal,i thought that is Virus  
All Answers
DDSN
DDSN Admin Created Oct 28, 2020 12:31:44

Hi AndyDuoc,
Please wait patiently. Our engineers are looking for answers to your questions.
View more
  • x
  • convention:

DDSN
DDSN Admin Created Oct 28, 2020 12:52:30

Hi AndyDuoc, 

For the ICMP unreachable attack, you can try to run the firewall defend icmp-unreachable enable command in the system view to enable defense against ICMP unreachable packet attacks.

For the udp bandwidth-limit, you can try to configure UDP flood attack defense, please refer to https://support.huawei.com/hedex/hdx.do?docid=EDOC1100122846&id=EN-US_TASK_0178924075&lang=en

I hope it helps!


View more
  • x
  • convention:

Thank you,But i think this problem in the internal network? Are our computers infected with viruses?i have log file but i don't know how to upload
View more
  • x
  • convention:

Posted by AndyDuoc at 2020-10-28 13:08 Thank you,But i think this problem in the internal network? Are our computers infected with viruses? ...
You can check whether the attack source is the port connected to the intranet. Check the session records of the firewall to determine the IP address of the attack source.
You can edit the post to upload attachments.
View more
  • x
  • convention:

AndyDuoc
AndyDuoc Created Oct 28, 2020 14:19:22 (0) (0)
attack source is internal,destination is extranet,
i was post log file,could you help me see it again,please thanks  
Hi AndyDuoc,
I checked the logs you uploaded, as you can see from the logs, the ICMP unreachable attack source is internal IP, and destination IP is external IP, what should pay attenation to is the total packets field, almost all the ICMP unreachable attack total packets field value is very low, which doesn't match the attacking behavior(usually massive attack packets).
Instead of the ICMP unreachable attack logs, you should pay attenation to the udp bandwidth-limit attack logs. As the log below shows, firewall receives over 900 packets in a short time.
(#Oct 26 2020 11:45:58+07:00 FW-1 %ATK/4/FIREWALLATCK(l)[41]:AttackType="udp bandwidth-limit", slot=" ", cpu="0", receive interface="GE1/0/4 ", proto="UDP", ip="113.171.212.77:443->192.168.39.22:64389", begin time=2020/10/26 11:45:29, end time=2020/10/26 11:45:34, total packets="913", max speed="53705", Action="discard".)
You can refer the @DDSN's answer to configure the UDP flood attack defense.
View more
  • x
  • convention:

AndyDuoc
AndyDuoc Created Oct 29, 2020 13:50:16 (0) (0)
thank you very much !  
AndyDuoc
AndyDuoc Created Oct 29, 2020 13:50:56 (0) (0)
But do you think is that virus ?  
DDSN
DDSN Reply AndyDuoc  Created Oct 29, 2020 14:16:14 (0) (0)
Hi AndyDuoc,
It's probably not a virus.  
AndyDuoc
AndyDuoc Reply DDSN  Created Oct 30, 2020 13:55:01 (0) (0)
So what is that ? that is real ddos,because i see mostly source packet from internal,i thought that is Virus  

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.