Random outages Wireshark showing large amount of UDP on Port 443

asked 2021-09-29 20:39:56 +0000

Travis gravatar image


We've been experiencing a lot of random outages. I ran a capture and noticed at the time there was a large amount of UDP traffic to an outside source according to wireshark, I say that because it was on port 443, which that should be TCP from my understanding.

I'm wondering if anyone could offer any feed back on whether this could be causing an outage.

Thank you.

edit retag flag offensive close merge delete


If it UDP 443, then it could be QUIC protocol. Google and Youtube use QUIC.

BigFatCat gravatar imageBigFatCat ( 2021-09-30 07:24:32 +0000 )edit

With "a large amount of UDP traffic" the first that comes to my mind is "DDoS attack". Outgoing? Part of a botnet?

André gravatar imageAndré ( 2021-09-30 14:43:24 +0000 )edit

Thank you for your comments. In answer to BigFatCat, My scan seems to recognize which are the QUIC protocol. The ones I'm curious about are just listed as UDP.

To answer André, I had thought the same thing but it's all going to the same port and 1 device. Could this still cause a denial of service even if our bandwidth hasn't been consumed?

Travis gravatar imageTravis ( 2021-09-30 19:21:54 +0000 )edit

The ones I'm curious about are just listed as UDP.

If the capture is missing the (initial) handshake then QUIC traffic will be shown as just UDP. You could try the "decode as..." feature and see if that results in a valid decode. Maybe "follow UDP stream" shows something interesting.

You have a denial of service if something is overloaded. If not the network bandwidth then maybe a CPU, (thread) pool, etc. (a webservice, firewall, ...).

André gravatar imageAndré ( 2021-09-30 20:45:17 +0000 )edit

Try to check if the public IP address is assigned to Netflix, YouTube, or a video site. It could be someone watching a movie.

BigFatCat gravatar imageBigFatCat ( 2021-10-02 00:54:21 +0000 )edit