Phone Lines icon GFI Support Home Sign in
Start a conversation
  1. GFI Support
  2. GFI Support - Microsoft Solutions - Readiness Assessment
  3. Articles

Youtube Traffic Classified as ICMP

Summary

When looking at the Real-Time Monitor, it is possible that some traffic coming from Google Servers (especially when the same client IP has a Youtube session open) will be incorrectly classified as ICMP traffic

Overview

The Exinda classifies traffic based on L7 definitions. When new applications, protocols or other changes to currently existing classifications come out, new classifications must be made to deal with the update. These occur on a regular basis and are put into the Exinda firmware when an update is warranted.

QUIC (Quick UDP Internet Connections) is a new protocol created by Google to provide the same type of security and lower latency involved with TCP. It was originally created in 2012, but its reach has grown to the present day. QUIC is implemented on all Google servers - Gmail, Google Docs, Youtube, Google Hangouts - to test and improve the protocol. QUIC support was implemented into Google Chrome as an experimental add on in version 29. As a result, by default, all connections between Chrome and Google Servers will use QUIC instead of standard UDP if applicable. This includes Youtube connections.

In the Exinda, it has been seen that Youtube traffic from clients running Chrome to Youtube servers is being misclassified as ICMP in the Real-Time Monitor, even though the traffic is known to be QUIC behind the scenes. This misclassification will not happen all the time (ie, if clients are using another web browser, or the server doesn't establish a QUIC connection) but it can be visible.

Cause

In v7.0.3 update 1 and lower of the Exinda firmware, there is no built-in definition for QUIC traffic. As a result, it is just classified in general as "UDP port [source] -> [destination]" traffic. The general and standard Youtube connections are made under TCP and are shown from the same client in the real-time monitor along with these "UDP port" classifications. On rare occasions, depending on the UDP ports used, the misclassification can show as ICMP traffic to a Youtube server in the 173.194.0.0/16 subnet.

Workaround

One possible workaround to avoid this misclassification is to disable QUIC in clients' Chrome browsers.

  • In Chrome, navigate to chrome://flags (to get to the internal flags settings of the browser)
  • Find "Experimental QUIC Protocol" under the list of items and ensure that the setting is set to "Disabled"
User-added image

Resolution

In v7.4 of the Exinda Firmware, there is a classification for QUIC. This definition should correctly reclassify the ICMP traffic as QUIC traffic.

Additional Information

If the traffic is still classified as ICMP in v7.4, please contact Exinda TAC.

Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted

Comments