Multicast stream -> blocked ddos attack

when I try to watch multicast stream, network monitor block it with DDos Attack (Udp flood).
How can I avoid this?


Welcome to the forum!
I would be nice if you could attach a screenshot of network monitor rules.
Some info about your connection and if you are using a router.

Hi and welcome to the forum. For a quick reference though, go into advanced, advanced attack and detection, you can set the UDP flood protection packet size. :wink:


Are you sure the stream isn’t too high for your connection? what’s your speed and what is the speed of the multicast? If you have say 5mbps and the stream is 10mbps, you will get flooded. If they use an ASM system, they are far more prone to Dos attacks. SSM isn’t since it’s a specific send and accomodates the targeted destination. There is much more to it of course but also many do use UDP streaming. You also have to make sure you have the correct plugins for certain viewers to handle it. If you pay for multicast you should be a custom reciever but if you are watching from a free source somewhere, the stream may not be compatable. Also there are Dos attacks that more and more seem to target Multicast (with obvious reason). Have you tried to set your UDP to allow a range? If you are behind a router or have NAT, there are some configurations as well. Can you post what you use to view, speed, if routered, OS?


Thanks for welcome,
sorry for insufficient information.
When I turn off network monitor I can watch stream without any problem.
(stream is 7Mb, net is 100Mb, stream is from LAN. )

I use VLC or VBrickStreamPlayer Plus for wathing.

VLC is trusted aplication.
IP in/out source any, dest any is allowed.
ICMP in/out any, any allowed

If you are in a lan you have to make a trusted zone. If you have CPF you have to do it on all computers. If you already have a zone, and just forgot to tell, we have to figure something else out. You have a ICMP rule for allowing all, so i suggest that you make a IGMP rule to allow all.
Network rules to add. Move them up in the list, but not above the first two rules.

Allow IP
IN or out
S. IP - Any
D. IP - Any
IP Det. - IGMP

Allow ICMP
S. IP - Any
D. IP - Any
ICMP Det. - Any

Allow ICMP
S. IP - Any
D. IP - Any
ICMP Det. - Echo reply

Allow ICMP
S. IP - Any
D. IP - Any
ICMP Det. - Echo request

Just try if they work. If not, post again… :wink:

same problem - watching TV programs from muticast streams - dos attack block this

don’t work for me - even if i set 1000 packets per second and fw dont log any dos attack multicast stream dont work

dont work for me too :frowning:
its very hard maybe impossible make trusted zone for multicast …
and i dont think this will be a secure solution - alowing inbound icmp echo requests for whole network …

comodo seems to be a good fw solution for me and i am sad i cant manage this :frowning:

What about UDP in any?


If you are behind a router i don’t think it will be insecure, because the router stealths you from internet. This was also a test just to see if it works. Make “loose” rules, then tighten them up.
In my router i had to turn on IGMP manually to get it to work. Sometimes it works anyway, so check if it’s enabled.
The latest VLC (8.5) caused me a lot of problems (not with streaming), not sure why yet, but i uninstalled it and will try the next version.
Have you tried to add a trusted network just for your stream?
Sorry that i couldn’t help you, but maybe someone elsa have solved this problem, or know how to…

Did you start using the multicast before or after CPF installed?


Just to be sure i went to Pcflank and took a couple of tests.
Stealthtest and advanced portscanner. I was perfectly stealthed in both tests with the rules in previous posts, and a second trusted network for stream. I had the router in DMZ.
Look like the image.

[attachment deleted by admin]

this is not a true - being behind a router will add no additional security at all - maybe if u mean behind a NAT …
i am network administrator on campus and we are routing seven C class public ip networks and in fact i need fw protection for this “LAN” :slight_smile:

no in my case it is not easy to do - there is many multicast streams not all with static address - SAP protocol

no problem - i am just in “testing new firewalls - old making me crazy” phaze :wink:

dont know if u ask me
if so i started using multicasts before CPF (if its help i was using Kerio FW - dont satisfy me in this form …, in kerio for multicasts working i just need permit same igmp and icmp settings - think so )

Hi, all I can suggest at this point is either make sure all instances of Kerio are absolutely gone. If you choose to, you can opt to send a support ticket here…,2516.msg19440.html#msg19440

They may better be able to resolve this for you. :wink: