Security Incidents mailing list archives

Re: weird 500/udp

From: Mark van Walraven <markv () WAVE CO NZ>
Date: Thu, 31 Aug 2000 09:41:39 +1200

On Tue, Aug 29, 2000 at 07:34:04PM +0200, David Myers wrote:

967537034 - 08/29/2000 04:17:14 Host: monster.radiotelcom.ru/212.48.143.12
Port: 500 UDP Blocked
967569428 - 08/29/2000 13:17:08 Host: mail.openleren.glr.nl/195.109.196.2
Port: 500 UDP Blocked
967614728 - 08/30/2000 01:52:08
Host: p3E9EDB02.dip.t-dialin.net/62.158.219.2 Port: 500 UDP Blocked

anyone have any ideas?


500/udp is used for negotiating IPsec connections.  If you have an IPsec
gateway, you usually allow this port straight to it.

Possibly someone is probing for an IPsec gateway with a configuration
copied verbatim from an example in documentation.  At worst[1], they
might have already set up IPsec on a compromised host inside, to evade
firewalls (some block only TCP, UDP and ICMP!) and IDS - check for
traffic on protocols 50 and 51.

[1] Actually, IPsec cracked would be worse ;-)

Regards,

Mark.

Current thread:

weird 500/udp David Myers (Aug 30)
- Re: weird 500/udp Jason Witty (Aug 30)
- Re: weird 500/udp Mark van Walraven (Aug 31)
- Re: weird 500/udp Max (Aug 31)