Re: Strange IPSEC traffic

[Maurice Brown <maurice () pwnship com>]

A new attack was published against SSH and the paper authors are theorizing
that the attack is possible against IPSEC due to flaws in the CPU that are
exploitable via brute force.

On Mon, Nov 13, 2023 at 9:42 AM Adrian Minta <adrian.minta () gmail com> wrote:

> On 11/13/23 19:10, Shawn L via NANOG wrote:
>
> Is anyone else seeing a lot of 'strange' IPSEC traffic?  We started seeing
> logs of IPSEC with invalid spi on Friday.  We're seeing it on pretty much
> all of our PE routers, none of which are setup to do anything VPN related.
> Most are just routing local customer traffic.
>
>
>
> decaps: rec'd IPSEC packet has invalid spi for destaddr=X.X.X.X, prot=50,
> spi=0x9D2D0000(2636972032), srcaddr=211.112.195.167, input
> interface=TenGigabitEthernet0/0/11
>
>
>
> decaps: rec'd IPSEC packet has invalid spi for destaddr=Y.Y.Y.Y, prot=50,
> spi=0x14690000(342425600), srcaddr=74.116.56.244, input
> interface=TenGigabitEthernet0/0/5
>
>
>
> The destination address is always one of our customer's ip addresses.  The
> source seems to be all over the place, mostly Russia, Korea, China or south
> east asia.  It's not really impacting anything at the moment, just rather
> annoying.
>
>
>
> Thanks
>
>
>
> Shawn
>
>
> Hi Shawn,
>
> we saw a lot of syslog messages like these and the targets are cisco
> devices, some of witch, according to the data sheets, are not even capable
> of ipsec.
>
> Cisco is punting some ESP traffic to control plane on ios and ios-xe
> devices, regardless of the configuration.
>
> Last week somebody on the internet started a campaign to scan and perhaps
> to exploit some zero day ipsec vulnerabilities.
>
>
> This is the list of ip addresses we saw: https://pastebin.com/vrLRai9Q
>
>
>
> --
> Best regards,
> Adrian Minta