Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
diardnic
New Contributor

Please help me identify that flows

I spent some times on fortianalyzer NOC view. Then i noticed some internal users have a lot of blocked udp outgoing connections. So far nothing looks suspicious on workstations. Whatsoever, i'd really like to understand what is going on.

So if you have any ideas.

ty

 

Sample

2 Solutions
andrewbailey

Hi diardnic, What are the clients may I ask? I traced a similar issue a year or two back to Windows 10 machines. There is a setting that allows windows 10 to pull updates via other Windows 10 machines (even outside your network). Originally the behaviour was to allow peering to any other Windows 10 machine and the results look a bit like what you are seeing. Lots of connections to random consumer IP addresses. I think The behaviour has now been changed and by default it now only uses machines on the local subnet. But it is still a setting that can be changed. Even by end users if not locked down. Let me know if that sounds plausible and I’ll try and find a screenshot or link for you. Kind Regards, Andy.

View solution in original post

ShawnZA

Disable the Windows setting under Delivery Optimization as per the attached screenshot

 

As soon as the PC is locked Windows will start doing updates (Also a setting that can be changed)

 

View solution in original post

13 REPLIES 13
diardnic
New Contributor

I'm more and more concerned it could be something malicious :

- thousands UDP connections to ISP subscribers IP ranges

- it has started as soon as user locked is windows session, and ended when he came back

- some botnets seems to show that kind of behaviour for c&c communication

 

Alivo__FTNT

Hello,

I would perhaps suggest to use some sort of tool that can track which program/process makes these connections.

Never tried this one but it might be helpful > google fo LiveTcpUdpWatch

 

Best Regards, Alivo

livo

ede_pfau
Esteemed Contributor III

@OP,

 

how come you can detect these policy violations in the first place? Do you restrict outbound traffic to 'known' services?

Usually, outbound traffic is allowed by a 'services: all' policy but I think your design is way smarter.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
andrewbailey

Hi diardnic, What are the clients may I ask? I traced a similar issue a year or two back to Windows 10 machines. There is a setting that allows windows 10 to pull updates via other Windows 10 machines (even outside your network). Originally the behaviour was to allow peering to any other Windows 10 machine and the results look a bit like what you are seeing. Lots of connections to random consumer IP addresses. I think The behaviour has now been changed and by default it now only uses machines on the local subnet. But it is still a setting that can be changed. Even by end users if not locked down. Let me know if that sounds plausible and I’ll try and find a screenshot or link for you. Kind Regards, Andy.
ShawnZA

Disable the Windows setting under Delivery Optimization as per the attached screenshot

 

As soon as the PC is locked Windows will start doing updates (Also a setting that can be changed)

 

diardnic

Hello all,

Regarding users internet usage, we set rules to only allow known regular traffic, so it's mostly http and https. That's why some random udp connection like that are put in evidence.

We also checked windows update settings. P2P updates are disabled, and it's managed thru SCCM.

Since yesterday, fortianalyzer logs gave me several other workstations with the same behaviour. So far, windows ATP found nothing. 

will keep you informed.

ShawnZA

This does look like Win Update traffic over P2P to be honest

Perhaps all settings needs to be re-checked for SCCM then, and just make sure it is off in the registry as well. An update could have enabled it in the registry but it could still show disabled in Windows itself.....

 

 

 

 

 

diardnic

Hi Shawn

Do you have any informations about ports involved ?

 

MS site says  about windows update delivery optimisation:

If you set up Delivery Optimization to create peer groups that include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets), it will use Teredo. For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up.

Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80.

ShawnZA

When our logs started filling up with these UDP requests a few months ago (Also blocked, will obviously not allow all traffic out)  it took a day to figure out it was Win 10 causing it. I just asked the Server team to disable it via GPO and it stopped. Ports used... well, dynamic ports, thousands of them, it's P2P traffic so you can't really specify the ports...