Security Incidents mailing list archives
Re: udp port 500 scans
From: Greg Woods <woods () UCAR EDU>
Date: Thu, 21 Dec 2000 10:34:21 -0700
Wed Dec 20 12:29:02 2000 x.x.x.x/500 -> y.y.y.y/500 udp
Port 500 is used by IKE (Internet Key Exchange). This is typically used for IPSEC-based VPN software, such as Freeswan, PGPnet, and various vendors of in-a-box VPN solutions such as Cisco. (For anyone that doesn't know, VPN = Virtual Private Network, and refers to an encrypted tunnel between two hosts or sites over which IP applications can be run. SSH port forwarding is actually a form of VPN). IKE is used to set up the session keys. The actual session is usually sent with ESP (Encapsulated Security Payload) packets, IP protocol 50 (but some in-a-box VPN's such as Cisco are capable of negotiating to send the encrypted tunnel over a UDP channel, which is useful for use across firewalls that block IP protocols other than TCP or UDP). So as was mentioned in another message, this could be a probe looking for a VPN box, or else your user on y.y.y.y is trying to set up a VPN to remote site x.x.x.x --Greg
Current thread:
- udp port 500 scans Blake Frantz (Dec 21)
- Re: udp port 500 scans Jeff (Dec 21)
- Re: udp port 500 scans Greg Woods (Dec 21)
- Unknown web log entry - new FrontPage exploit? Michael Katz (Dec 21)
- Re: Unknown web log entry - new FrontPage exploit? TJ Jablonowski (Dec 22)
- Re: udp port 500 scans TJ Jablonowski (Dec 21)
- Unknown web log entry - new FrontPage exploit? Michael Katz (Dec 21)
- <Possible follow-ups>
- Re: udp port 500 scans Green, Art (MED) (Dec 21)