Does UDP over HTTPS get checked by the Default Packet Handling - Drop UDP Flood Setting?

Panda Security Alerts are being reported as Intrusion Attempts - UDP Floods when workstations access youtube videos. I think Youtube is using UDP over HTTPS and I’d like to determine if Default Packet Handling can check and regulate this traffic.

Best Answer

  • UDP is UDP - no matter which port.
    If there are too many UDP packets hitting a firewall interface, some will be dropped.

Answers

  • Default Packet Handling can't block this.
    Here is what would happen, from the docs:
    "For example, if you set the Drop UDP Flood Attack threshold to 1000, the device starts to drop UDP packets from an interface that receives more than 1000 UDP packets per second. The device does not drop other types of traffic or traffic received on other interfaces."

    You could add a Custom packet filter for UDP 443, set to denied From: Any-trusted to Any-external, to prevent this traffic, and force TCP 443 to be used.

    Also, you could disable QUIC in Chrome.
    Disable QUIC in Chrome Browser
    https://help.clouduss.com/ws-knowledge-base/disable-quic-in-chrome-browser

  • Thanks Bruce.

    I’d like to find out what thresholds Panda triggers at for udp flood alerts and if possible how many packets Panda is seeing. I need to determine if these alerts are false positives or not.
  • I still need to find out if default packet handling on the firebox does in fact process udp over https? If it does, threshold settings on the firebox might come into play from what I see in the doc. 25% packets dropped between threshold and twice threshold. All packets dropped if more than twice the threshold. If udp over https isn’t processed like straight udp is then it wouldn’t matter what threshold you set. UDP over https is new to me. Thanks
Sign In to comment.