Operator On The Wire
← Back to Knowledge Base
BLUE TEAM / SOC / FILTERING / ATTACKS / TRANSPORT LAYER / UDP

UDP Tunneling

Attacker uses connectionless UDP to transmit data chunks and avoid traditional TCP monitoring


Hunting

Statistics → Conversations → UDP
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph


Red Flags

  • High volume UDP between two internal hosts
  • Repetitive fixed-size UDP packets
  • UDP to uncommon high ports
  • Human-readable / encoded payload in UDP stream
  • Regular timing intervals (beacon-like)
  • No corresponding legitimate protocol (DNS/DHCP/SNMP/etc.)

Filters

# All UDP traffic
udp

# UDP between two hosts
udp && ip.addr == <suspect_ip>

# High port UDP
udp && udp.port > 1024

# Suspicious specific port
udp.port == 9999

# Large UDP packets (exfil chunks)
udp.length > 200

# UDP not DNS
udp && !dns