Security Incidents mailing list archives

Re: Probes on Port 500?

From: Jason Witty <jason () WITTYS COM>
Date: Thu, 8 Mar 2001 11:03:51 -0600

Note that it's IP protocol 17 (UDP).  UDP port 500 is used for ISAKMP
(IKE), which is part of the IPSec VPN suite.  Someone was probably
probing for one of the many IPSec enabled servers which are known to
have configuration vulnerabilities.  Hope this helps.

Jason


-mat- filid brandy wrote:


Slan,

since two weeks now I am getting this traffic every half an hour. It is
firewalled, so it does no harm, but does anyone knows about similar
probes?

Security Violations
=-=-=-=-=-=-=-=-=-=
Mar  8 06:00:02 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17
203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11327 F=0x0000 T=115 (#81)
Mar  8 06:00:03 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17
203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11370 F=0x0000 T=115 (#81)
Mar  8 06:00:05 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17
203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11398 F=0x0000 T=115 (#81)
Mar  8 06:00:09 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17
203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11412 F=0x0000 T=115 (#81)
Mar  8 06:00:17 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17
203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11479 F=0x0000 T=115 (#81)
Mar  8 06:00:33 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17
203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11751 F=0x0000 T=115 (#81)
Mar  8 06:01:05 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17
203.30.32.23:500 62.208.181.42:500 L=84 S=0x00 I=13238 F=0x0000 T=115 (#81)

Slainte agus saol agat,
        -mat-

PS:
When I hear a man applauded by the mob I always feel a pang of pity
for him.  All he has to do to be hissed is to live long enough.
                -- H.L. Mencken, "Minority Report"

--
-mat- filid brandy   brandy () klammeraffe org   MB210-RIPE
http://www.klammeraffe.org/~brandy/info/
PGP PUBLIC KEY CODE NUMBER E4118785
PGP fingerprint = D8102D77AA40514A6F610671297C5AB4

Current thread:

Probes on Port 500? -mat- filid brandy (Mar 08)
- Re: Probes on Port 500? Jason Witty (Mar 08)
- Re: Probes on Port 500? Jose Nazario (Mar 08)
- Re: Probes on Port 500? -mat- filid brandy (Mar 09)
- <Possible follow-ups>
- Re: Probes on Port 500? Suzanne . Hernandez (Mar 08)