Security Incidents mailing list archives
Re: weird 500/udp
From: Mark van Walraven <markv () WAVE CO NZ>
Date: Thu, 31 Aug 2000 09:41:39 +1200
On Tue, Aug 29, 2000 at 07:34:04PM +0200, David Myers wrote:
967537034 - 08/29/2000 04:17:14 Host: monster.radiotelcom.ru/212.48.143.12 Port: 500 UDP Blocked 967569428 - 08/29/2000 13:17:08 Host: mail.openleren.glr.nl/195.109.196.2 Port: 500 UDP Blocked 967614728 - 08/30/2000 01:52:08 Host: p3E9EDB02.dip.t-dialin.net/62.158.219.2 Port: 500 UDP Blocked anyone have any ideas?
500/udp is used for negotiating IPsec connections. If you have an IPsec gateway, you usually allow this port straight to it. Possibly someone is probing for an IPsec gateway with a configuration copied verbatim from an example in documentation. At worst[1], they might have already set up IPsec on a compromised host inside, to evade firewalls (some block only TCP, UDP and ICMP!) and IDS - check for traffic on protocols 50 and 51. [1] Actually, IPsec cracked would be worse ;-) Regards, Mark.
Current thread:
- weird 500/udp David Myers (Aug 30)
- Re: weird 500/udp Jason Witty (Aug 30)
- Re: weird 500/udp Mark van Walraven (Aug 31)
- Re: weird 500/udp Max (Aug 31)