nanog mailing list archives
Re: Unexplainable router log entries mentioning IPSEC from Yahoo IPs
From: "Dobbins, Roland" <Roland.Dobbins () netscout com>
Date: Sat, 19 Dec 2020 05:02:48 +0000
On Dec 19, 2020, at 01:19, Frank Bulk <frnkblk () iname com> wrote: Curious if someone can point me in the right direction. In the last three days our core router (Cisco 7609) has logged the following events: Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20 It should be noted that attackers will sometimes generate non-TCP/-UDP/-ICMP DDoS attack traffic which is intended to bypass ACLs, firewall rules, etc. which only take the more common protocols into account. They'll often pick ESP (protocol 50, AH (protocol 51), or GRE (protocol 47) in order to try & masquerade the attack traffic as legitimate VPN or tunneled traffic. And the source IPs of this attack traffic are frequently spoofed, as well. -------------------------------------------- Roland Dobbins <roland.dobbins () netscout com>
Current thread:
- Unexplainable router log entries mentioning IPSEC from Yahoo IPs Frank Bulk (Dec 18)
- Re: Unexplainable router log entries mentioning IPSEC from Yahoo IPs Tom Beecher (Dec 18)
- Re: Unexplainable router log entries mentioning IPSEC from Yahoo IPs Adrian Minta (Dec 18)
- Re: Unexplainable router log entries mentioning IPSEC from Yahoo IPs Dobbins, Roland (Dec 18)
- Re: Unexplainable router log entries mentioning IPSEC from Yahoo IPs Matthew Petach (Dec 19)
- RE: Unexplainable router log entries mentioning IPSEC from Yahoo IPs techzone (Dec 19)
- Re: Unexplainable router log entries mentioning IPSEC from Yahoo IPs Matthew Petach (Dec 19)