Security Incidents mailing list archives

Re: Probes on Port 500?

From: Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>
Date: Thu, 8 Mar 2001 12:17:06 -0500

On Thu, 8 Mar 2001, -mat- filid brandy wrote:

Mar  8 06:00:02 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17
203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11327 F=0x0000 T=115 (#81)



proto 17 (UDP), port 500:

isakmp          500/udp                      # ISAKMP key management

most likely options:

a) innocuous
   misconfigured IPsec gateway/node, either a typo or a really poor
   implementation
b) somewhat scanning
   looking for IPsec gateways to abuse. OpenBSD recently had a problem
   in the kernel with IPsec stuff:
   http://www.openbsd.org/errata.html#ipsec_ah

hope this helps. people have seen 500/UDP packets before, i don't recall
what was the conclusion (ie malicious or a screwup on someone's part).

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

Current thread:

Probes on Port 500? -mat- filid brandy (Mar 08)
- Re: Probes on Port 500? Jason Witty (Mar 08)
- Re: Probes on Port 500? Jose Nazario (Mar 08)
- Re: Probes on Port 500? -mat- filid brandy (Mar 09)
- <Possible follow-ups>
- Re: Probes on Port 500? Suzanne . Hernandez (Mar 08)