Security Incidents mailing list archives

Re: weird 500/udp

From: Jason Witty <jason () WITTYS COM>
Date: Wed, 30 Aug 2000 15:53:29 -0500

David,

UDP port 500 is used for the ISAKMP (now IKE) portion of IPSec (commonly
used for VPN access). See http://www.faqs.org/rfcs/rfc2408.html for more
information on ISAKMP. Most likely, these kiddies were looking for
improperly configured IPSec VPN termination boxes that they could abuse
to gain access to an internal network.  Hope it helps.

Jason

BTW - http://www.wittys.com/files/all-ip-numbers.txt lists loads of
ports and protocols (it's a compilation of findings of this list, as
well as RFCs and IANA docs).  Hope it's useful!

David Myers wrote:


967537034 - 08/29/2000 04:17:14 Host: monster.radiotelcom.ru/212.48.143.12
Port: 500 UDP Blocked
967569428 - 08/29/2000 13:17:08 Host: mail.openleren.glr.nl/195.109.196.2
Port: 500 UDP Blocked
967614728 - 08/30/2000 01:52:08
Host: p3E9EDB02.dip.t-dialin.net/62.158.219.2 Port: 500 UDP Blocked

anyone have any ideas?

thanks,
David Myers

Current thread:

weird 500/udp David Myers (Aug 30)
- Re: weird 500/udp Jason Witty (Aug 30)
- Re: weird 500/udp Mark van Walraven (Aug 31)
- Re: weird 500/udp Max (Aug 31)