Security Incidents mailing list archives
Re: Probes on Port 500?
From: Suzanne.Hernandez () GUNTER AF MIL
Date: Thu, 8 Mar 2001 11:23:27 -0600
Windows 2000 machines set up with "Server (request security)" for the Local Security Policy will always attempt to set up a security association (via udp port 500) and then an IPSEC tunnel before sending packets in the clear. We have even seen this to routers, i.e. a Windows 2000 workstation will do a simple ping to a router. The router first sees a udp/500 packet as this workstations wants to communicate securely. Then following, the router will see the icmp packet. Contact the owner of the machine and ask him to set up his Local Security Policy as "Client (Respond Only)". This way, if users attempt to set up security associations with that workstation, he will have the ability to respond securely, but packets he initiates will be in the clear and you won't see his traffic anymore. Slan, since two weeks now I am getting this traffic every half an hour. It is firewalled, so it does no harm, but does anyone knows about similar probes? Security Violations =-=-=-=-=-=-=-=-=-= Mar 8 06:00:02 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17 203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11327 F=0x0000 T=115 (#81) Mar 8 06:00:03 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17 203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11370 F=0x0000 T=115 (#81) Mar 8 06:00:05 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17 203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11398 F=0x0000 T=115 (#81) Mar 8 06:00:09 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17 203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11412 F=0x0000 T=115 (#81) Mar 8 06:00:17 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17 203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11479 F=0x0000 T=115 (#81) Mar 8 06:00:33 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17 203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11751 F=0x0000 T=115 (#81) Mar 8 06:01:05 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17 203.30.32.23:500 62.208.181.42:500 L=84 S=0x00 I=13238 F=0x0000 T=115 (#81) Slainte agus saol agat, -mat- PS: When I hear a man applauded by the mob I always feel a pang of pity for him. All he has to do to be hissed is to live long enough. -- H.L. Mencken, "Minority Report" -- -mat- filid brandy brandy () klammeraffe org MB210-RIPE http://www.klammeraffe.org/~brandy/info/ PGP PUBLIC KEY CODE NUMBER E4118785 PGP fingerprint = D8102D77AA40514A6F610671297C5AB4
Current thread:
- Probes on Port 500? -mat- filid brandy (Mar 08)
- Re: Probes on Port 500? Jason Witty (Mar 08)
- Re: Probes on Port 500? Jose Nazario (Mar 08)
- Re: Probes on Port 500? -mat- filid brandy (Mar 09)
- <Possible follow-ups>
- Re: Probes on Port 500? Suzanne . Hernandez (Mar 08)