Security Basics mailing list archives
Very Strange Incident
From: "Alan Greig" <Alan.Greig () Ogilvie co uk>
Date: Mon, 22 Mar 2004 08:23:38 -0000
Hi Folks, We have a small satellite office located in a managed office space and as such use the buildings shared leased line. Last week the S2S Vpn between this office and our headoffice went down with our HQ firewall displaying the following error message. VPN packet dropped (100R->Vraptor: Protocol=IPSEC-ESP spi=0x4ac80658): The packet is either too old or has been received before (potential replay attack?) (tunnel 6.isakmp.104@100r <VPN-100r>) I performed a traceroute from our head office which completed fine yet when I performed a traceroute from other Internet connections the responding device was another unit on the same subnet as our firewall. The managed office has a cisco 2600 router behind which there is a small subnet for the firewalls belonging to residents. All firewalls have a world routable address so the cisco isn't doing anything clever. Whats concerning me is that the managed office space IT guy is being very cagey about the whole incident. He will only tell me that another IT company installed a device into the subnet but won't tell me who they were, what it was or its purpose. As the Cisco was the last hop before the subnet I can't think why traceroutes would be redirected to this new device. Especially as only the ISP has access to the router to make config changes. Can anyone think of any reason that would allow for such strange activity. Other sources have suggested some form of network monitor. Any help much appreciated. Alan CONFIDENTIALITY NOTICE: This email and any attachments may be confidential. They may contain privileged information and are intended for the named addressee (s) only. They must not be distributed without our consent. If you are not the intended recipient, please notify us immediately and delete the message and any attachments from your computer, do not disclose, distribute, or retain this email or any part of it. DISCLAIMER: Internet communications are not secure and therefore Ogilvie Group Ltd does not accept legal responsibility for the contents of this message. Unless expressly stated, opinions in this email are those of the individual sender, and not of Ogilvie Group Ltd. Ogilvie Group Ltd checks outgoing e-mails with anti-virus software that is regularly updated however this does not guarantee that any files attached to this e-mail are virus free. You must therefore take full responsibility for virus checking. Ogilvie Group Ltd reserves the right to monitor all email communications through their networks. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Very Strange Incident Alan Greig (Mar 22)
- <Possible follow-ups>
- RE: Very Strange Incident Shawn Jackson (Mar 23)