Random outages Wireshark showing large amount of UDP on Port 443
Hello,
We've been experiencing a lot of random outages. I ran a capture and noticed at the time there was a large amount of UDP traffic to an outside source according to wireshark, I say that because it was on port 443, which that should be TCP from my understanding.
I'm wondering if anyone could offer any feed back on whether this could be causing an outage.
Thank you.
Comments
If it UDP 443, then it could be QUIC protocol. Google and Youtube use QUIC.
With "a large amount of UDP traffic" the first that comes to my mind is "DDoS attack". Outgoing? Part of a botnet?
Thank you for your comments. In answer to BigFatCat, My scan seems to recognize which are the QUIC protocol. The ones I'm curious about are just listed as UDP.
To answer André, I had thought the same thing but it's all going to the same port and 1 device. Could this still cause a denial of service even if our bandwidth hasn't been consumed?
If the capture is missing the (initial) handshake then QUIC traffic will be shown as just UDP. You could try the "decode as..." feature and see if that results in a valid decode. Maybe "follow UDP stream" shows something interesting.
You have a denial of service if something is overloaded. If not the network bandwidth then maybe a CPU, (thread) pool, etc. (a webservice, firewall, ...).
Try to check if the public IP address is assigned to Netflix, YouTube, or a video site. It could be someone watching a movie.