Security Incidents mailing list archives
Re: Probes on Port 500?
From: Jason Witty <jason () WITTYS COM>
Date: Thu, 8 Mar 2001 11:03:51 -0600
Note that it's IP protocol 17 (UDP). UDP port 500 is used for ISAKMP (IKE), which is part of the IPSec VPN suite. Someone was probably probing for one of the many IPSec enabled servers which are known to have configuration vulnerabilities. Hope this helps. Jason -mat- filid brandy wrote:
Slan, since two weeks now I am getting this traffic every half an hour. It is firewalled, so it does no harm, but does anyone knows about similar probes? Security Violations =-=-=-=-=-=-=-=-=-= Mar 8 06:00:02 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17 203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11327 F=0x0000 T=115 (#81) Mar 8 06:00:03 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17 203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11370 F=0x0000 T=115 (#81) Mar 8 06:00:05 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17 203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11398 F=0x0000 T=115 (#81) Mar 8 06:00:09 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17 203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11412 F=0x0000 T=115 (#81) Mar 8 06:00:17 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17 203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11479 F=0x0000 T=115 (#81) Mar 8 06:00:33 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17 203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11751 F=0x0000 T=115 (#81) Mar 8 06:01:05 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17 203.30.32.23:500 62.208.181.42:500 L=84 S=0x00 I=13238 F=0x0000 T=115 (#81) Slainte agus saol agat, -mat- PS: When I hear a man applauded by the mob I always feel a pang of pity for him. All he has to do to be hissed is to live long enough. -- H.L. Mencken, "Minority Report" -- -mat- filid brandy brandy () klammeraffe org MB210-RIPE http://www.klammeraffe.org/~brandy/info/ PGP PUBLIC KEY CODE NUMBER E4118785 PGP fingerprint = D8102D77AA40514A6F610671297C5AB4
Current thread:
- Probes on Port 500? -mat- filid brandy (Mar 08)
- Re: Probes on Port 500? Jason Witty (Mar 08)
- Re: Probes on Port 500? Jose Nazario (Mar 08)
- Re: Probes on Port 500? -mat- filid brandy (Mar 09)
- <Possible follow-ups>
- Re: Probes on Port 500? Suzanne . Hernandez (Mar 08)