Allow me to introduce you to WUDO. WUDO is Windows Update Delivery Optimization, and not the Western Union Defence Organisation. This is a feature introduced in Windows 10 to cut down on the internet bandwidth Windows Update uses on larger networks. Rather than each client downloading independently, one client can retrieve updates from another on the network that already downloaded them. Or a rando computer on the internet. This is supposed to cut down on your bandwidth, but I suspect it was to cut down on Microsoft’s. Anyhow, the concept is solid. For people who have never heard of WSUS.
This feature can be controlled with the Delivery Options section of Windows Update or through group policy, and there are reasons why we might want to disable it. I will link them at the end. That’s really all I have to say about WUDO. I’m a linux guy.
So, how did this feature land on the radar of a linux guy? Bit of a story. For data privacy reasons, I am not to use my work laptop for training. I was issued a training laptop, which sits idle for long periods of time. Recently I docked it to take updates. And it did, using this WUDO feature from my son’s computer. I saw multiple ET P2P MS WUDO Peer Sync suricata alerts. So, why is that a problem?
Well, my network is broken down into six VLANs: LAN, WIRELESS, PRODUCTION, DMZ, HONEYNET, and WORK, and traffic is securely controlled via firewall rules. When my training laptop is docked where my work laptop is normally, it is on the WORK VLAN, and thus, completely isolated from the rest of my network. So, why was a 10.0.0.0/24 IP address showing up in Security Onion? How could it?
My WORK VLAN has rules blocking traffic to the five other VLANs. On the surface this seems like enough. However, this will not block a session originating from another VLAN. For example, traffic from DMZ to LAN is blocked but not the other way around. I can ssh into my LAMP server, but I cannot ssh from LAMP to anywhere else. The rule only controls where the session was initiated, and the two way traffic of an ssh session is not impacted.
And to be clear, I did have rules blocking traffic to WORK from HONEYNET, DMZ, PRODUCTION, and WIRELESS. But, you will notice, not from LAN. Oops. Maybe I omitted it ‘just in case’, or maybe I simply forgot. I really don’t know. I quickly added a blocking rule as I could not think of a good reason not to.
So, the lesson learned is that sometimes your rules are not as rock solid as you thought, and testing assumptions is a pretty good idea. Here are some articles about MS WUDO:
https://4sysops.com/archives/windows-update-delivery-optimization-wudo-in-windows-10/
https://www.groovypost.com/howto/stop-windows-10-sending-updates-other-pcs-internet-wudo/
https://kollective.com/pros-and-cons-of-windows-update-delivery-optimization/