Posts Tagged ‘UDP’

Ourmon to detect UDP Flood

Saturday, March 15th, 2008

Using graph to detect anomaly has been one of the great features in Ourmon. This is an example why it is great.

If you have been following this blog, you will notice I have 2 posts (including this) that have the strange traffic spike in the nighttime, and it also means that it is good time to attack when everyone is sleeping.
So, there was UDP flood attack on my network in the nighttime yesterday. By checking on Ourmon graphs and reports, I could identify the attack almost immediately without running any other tools.

This is how I identified the UDP flood attack, normally my network will not generate high UDP traffic.

UDP Flood Graph

Do you notice the TCP traffic spike from 2100 to 2200 which is marked in Pink color? I used the same method which I have mentioned previously to check the traffic spike with Argus. It was a inter network file transfer which was running at load 19,001,224 (bits/sec).

Notice the high port ICMP unreachable?

UDP Flood ICMP Unreachable Graph

From UDP Top report, I could see when and which IP launched UDP flood attack, and the time of the attack was stopped.

UDP Top Report

From UDP summarization Top Source IP report:

UDP Top Source IP Report

It is nice that we have not seen any large UDP traffic coming to our network after these IPs were blocked in Firewall.