Hello and welcome to the Thursday, October 5th, 2020,

edition of the San San Antonio Storm Saunders Stormgast. My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

Another quick blog post today about what's normal. This time I looked at the payload being transmitted in TCP and UDP sessions.

Average UDP session, of course, had less payload than your average TCP session. That's not

terribly surprising given that UDP is often used for protocols like DNS and these little information

exchanges. What was initially a little bit surprising is that we had a large number of TCP connections

with very little data, actually only 44 bytes total.

Now, this included all the headers, and these are essentially your incomplete connections,

your port scans, where you

have just IP and TCP header, and then often just one TCP option like the maximum segment

size.

Again, why is this important?

Well, it's important because that's what you should look at if you don't expect a compromise at first.

And then you look at the anomalies.

Like here, I looked at the two connections that transmit most data.

There was one UDP and one TCP connection with hundreds of megabytes each.

Well, it turned out the TCP connection was my cloud backup

and the UDP connection VPN connection.

And if you know these things ahead of time,

then of course once you have an incident,

it's easier to eliminate sort of these anomalies

as something that's, well, not an anomaly,

...