Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: QUIC false positives and now a challenge SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
QUIC false positives and now a challenge
Yesterday my home office logs started screaming at me - something was trying to establish outbound connections on ports 80 and 443 which doesn't seem too alarming but this was UDP and of course I didn't capture outbound packets dropped.

That soon changed and I had some packets and wireshark revealed a signature of sorts "CHLO PAD SNI VER CCS UAID" which with the help of DuckDuckGo led me to QUIC - "Quic UDP Internet Connections". This is a new protocol being developed with a lot of Google support and the client code is in Chrome which makes sense considering the Android origin of the traffic.

So supposedly benign traffic.

Now the challenge:

I would like to intelligently allow QUIC through my iptables based firewall. Is it simply a matter of

-A INPUT -i eth0 -p udp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT

or is there more to it ?

Anybody else done QUIC firewalling ?



1 Posts

Sign Up for Free or Log In to start participating in the conversation!