IPS against Skype for Business (on prem at customer site)

Hi everyone,

we are having issues with the customers skype for business (still on prem) because of IPS.

After a while the voice stops and our users at the office (it is working from home or data plan) cannot voip anymore.

The IPS log shows the IP(s) of the customer and UDP flood.

As i do not know which customers use what IP, i cannot (and i don't wanna) configure all IPs (ranges are not working)  in IPS exceptions. Is there an easy way (without disabling UDP flooding) to accomplish good voice quality for everyone?

Or can i whitelist "german or some european countries" for UDP flooding?

Log entry where 213.95.x is the customers skype server

2021:11:17-14:10:56 fw3str-1 ulogd[35793]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth5" srcmac="3c:13:cc:53:df:80" dstmac="00:1a:8c:f0:4e:65" srcip="213.95.x" dstip="62.96.x" proto="17" length="650" tos="0x00" prec="0x00" ttl="122" srcport="53916" dstport="20388"

BR

Stephan

  • - One thing you may be able to do is modify that 60013 rule:

    - You could also try allowing an exception which would be a more focused approach without modifying the specific rule:

    You can specify under 'For all requests' your sources.

    Not sure that any QoS would help, as I don't mess with that too much, but you may also want to explore that option.

    Hope some of this helps.

    UTM - 9.707 | Intel i3-4150 4th Gen Processor
    16GB Memory | 500GB SATA HDD | GB Ethernet x5

  • Hallo Stephan,

    Usually, Amodin is spot on, but only his second suggestion can work.  To narrow down what you might need there, show us what result you get from the following commands:

    • zgrep '"UDP flood"' /var/log/ips/2021/11/*|grep -oP 'srcip=".*?"'|sort -n|uniq -c|sort -n
    • zgrep '"UDP flood"' /var/log/ips/2021/11/*|grep -oP 'dstip=".*?"'|sort -n|uniq -c|sort -n
    • zgrep '"UDP flood"' /var/log/ips/2021/11/*|grep -oP 'dstport=".*?"'|sort -n|uniq -c|sort -n

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I bow to your wisdom, Bob.  Smiley

    I wasn't sure of it myself, but used that tactic for a bit in the past with oddities and usually end up deleting that modification a few days after using it.

    UTM - 9.707 | Intel i3-4150 4th Gen Processor
    16GB Memory | 500GB SATA HDD | GB Ethernet x5

  • Yeah, rule 60013 is the fwrule ID in the Firewall log (ulogd) for dropping a packet that's part of a UDP Flooding attempt.

    The 'Manual Rule Modification' is for Snort IDs found in the Intrusion Prevention log, sid="#####".

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks - but this is only a solution afterwards. My colleagues are already angry.
    Only solution seems to be that i have to turn off "UDP flooding" then?

  • Stephan, I googled site:community.sophos.com/utm-firewall skype udp flood and found a post I'd made 16 months ago that should work for you: https://community.sophos.com/utm-firewall/f/network-protection-firewall-nat-qos-ips/121696/call-quality-issues-with-teams/442556#442556

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yes .. for the cloud we already have it - as we are also Teams / SfB Users. It is the on-premise installations (that still exist) that gives me nightmares.