I recently installed Security Onion in my home lab and one of the things that immediately jumped out to me was an alarming amount of traffic on TCP port 7680 between 2 individual hosts inside the network
When I exported this traffic into a pcap and analysed it with Wireshark, the traffic is presented as the “Swarm Protocol
The Swarm protocol is a distributed storage platform and content distribution service The objective is a peer-to-peer storage and serving solution in this case because these are Windows 10 computers this is specifically being used by Window Update Delivery Optimization (WUDO). WUDO is designed to enable Windows computers to share downloaded updates with other Windows computers on their local network and even out on the Internet. It uses a service called Delivery Optimization (DoSvc) which is responsible for the delivery optimization of updates as well as the various firewall exceptions that are required for it to work.
This feature is enabled by default on Windows 10 and in a home network this might be perfectly fine to use. However in a corporate environment this may be something you want to turn off. If one of the computers were to get compromised and someone could figure out how to modify the cached updates, they could potentially use this to distribute malicious updates or even cause a DoS (Denial of Service) by distributing a corrupted update that may cause computers to blue screen or even not boot at all.
So how do you disable this feature?
You can disable it on individual machines by clicking on Start > Settings > Updates & Security > Windows Update > Advanced Options > Delivery Optimization > Change On to Off
Alternatively you can disable WUDO by GPO (Group Policy Object) If you are in and Active Directory environment.
Open Group Policy Management either on a domain controller or by using RSAT on a workstation
Create and link a new policy
Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization > Download Mode
Change from Not Configured to Enabled
Change Download Mode to Bypass (100)
Once you apply this GPO to your workstations you can either open a command prompt and run gpupdate /force from each client, reboot each client or just let each client update the GPO on it’s own schedule which is every 90 minutes by default
Once the GPO has been applied, WUDO will then be disabled