Google & "UDP flood" action

Question

Hello

So to get straight to the point, I'm running Sophos UTM (FW Ver.: 9.203-3, Virtual) Home License and, as the thread title shows, browser-based Google products are affected by the IPS and some of its traffic are being tagged by the IPS as "UDP flood" firewall rule 60013, which is to Drop UDP_FLOOD attempts.

As a result, some Google products will be capped at 2mbps download speeds. Strangely enough, it only happens to one wired client and not any virtualised clients nor wireless clients (so this means neither the LG Smart TV running YouTube nor the Android smartphone running Google Maps experience this issue.) When this plays out:

YouTube will load videos at 2mbps, causing buffer to 1080p videos and less often to 720p videos; and
Google Maps will load its chunks of map and image data slowly

Now, I can definitely turn off UDP flood protection, but that leaves a gigantic gap on my network. It's probably not the best practice when the UTM is responsible as the gateway between the Internet and my network at home. You now understand why this is probably something I would consider to avoid. I had disabled it for a minute and it definitely increased the loading speeds to what my ISP provides, which is 30x more than what it was throttling me to. As of right now, it's enabled.

Has anyone else experienced this issue? Has anyone found a fix for this? This started happening probably around the time where the OpenSSL Heartbleed vulnerability was discovered, if not a month or two before it.

UPDATE: Alright, so here's what's getting hit by IPS so that we all have that general idea...

IP of Google is the source IP.
WAN IP is the destination.
Action is UDP Flood
Source Port: 443
Destination Port: Some random port on the 50000~60000s.

Last time I checked, 443 isn't exactly UDP for the nature of what's being transported and a corporation like Google would keep atop for any such UDP floods to prevent it from happening.

Second Update:
Please don't tell me this is too difficult. It has to be some simple explanation.

2014:07:14-16:40:20 core ulogd[4786]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="[Source MAC]" dstmac="[Destination MAC]" srcip="206.111.13.173" dstip="[My WAN IP]" proto="17" length="1228" tos="0x00" prec="0x00" ttl="57" srcport="443" dstport="55971"

Thanks

This thread was automatically locked due to age.

BAlfson · Answer

Great way to post an issue - you anticipated the first question and answered it already! 
 srcport="443" => Just clone that Service, change the name of the new one to, for example, "QUIC Responses," exchange the contents of Source and Destination and add the Service to your Exception. 
 Note that this new service was the one I recommended earlier in the thread. I've not seen a situation that requires an Exception for QUIC requests, but it probably doesn't hurt anything for you to leave it in place. 
 Cheers - Bob

BrentCrawford · Answer

Great research from previous posters, thanks for creating a reference for this issue. 
 I took a slightly difference approach as opening up all UDP from any source and port going to 443 and disabling all flood detection was not acceptable here. 
 I noticed all of these IPS blocks were coming from the 74.125.x.x range and host lookups verified that these were all 1e100.net hosts from Google. 
 A quick ARIN search validates that Google has been allocated the entire 74.125 class B network. 
 Therefore, I created an IPS exception that disables the IPS/Portscan and TCP/UDP/ICMP flood detection for the 74.125 range only. 
 
 (edited to include more detailed screenshot)

Moises Campos · Answer

Hello 
 I have found the solution for this, just add these google addresses as an exception to udpflood 
 
 ip4:64.18.0.0/20 
 ip4:64.233.160.0/19 
 ip4:66.102.0.0/20 
 ip4:66.249.80.0/20 
 ip4:72.14.192.0/18 
 ip4:74.125.0.0/16 
 ip4:108.177.8.0/21 
 ip4:173.194.0.0/16 
 ip4:207.126.144.0/20 
 ip4:209.85.128.0/17 
 ip4:216.58.192.0/19 
 ip4:216.239.32.0/19 
 ip6:2001:4860:4000::/36 
 ip6:2404:6800:4000::/36 
 ip6:2607:f8b0:4000::/36 
 ip6:2800:3f0:4000::/36 
 ip6:2a00:1450:4000::/36 
 ip6:2c0f:fb50:4000::/36

Regards

BAlfson · Answer

I was just trying to be specific. What I use is really much simpler: 
 
 If this doesn't resolve the issue, please post a representative line form the Intrusion Prevention log. 
 Cheers - Bob

SaschaParis · Answer

Hi Alexander 
 
 I personally recommend to disable flooding protection anyway (that's a protection feature of antic times before DDoS attacks and the capability to easily flood your whole uplinks and is today of low value and usually creates more troubles than benefit. 
 
 However - if you get flooded from Google with UDP traffic from source Port 443 to a high port of your firewall, I'd assume that's QUIC traffic. This also means it bypasses your UTM/XG's web proxy security completely. There's a "Block QUIC" option in the web proxy to block QUIC and force Google services to fallback to standard HTTPS over TCP. 
 
 While QUIC is performancewise a good thing, it's today also a insecure thing because of the completely unfiltered traffic. 
 
 Blocking QUIC most likely also solves your UDP flood problem. 
 
 /Sascha

Google & "UDP flood" action

Google’s QUIC protocol: