Security Incidents mailing list archives

Re: Probes on Port 500?

From: Suzanne.Hernandez () GUNTER AF MIL
Date: Thu, 8 Mar 2001 11:23:27 -0600

Windows 2000 machines set up with "Server (request security)" for the Local
Security Policy will always attempt to set up a security association (via
udp port 500) and then an IPSEC tunnel before sending packets in the clear.
We have even seen this to routers, i.e. a Windows 2000 workstation will do a
simple ping to a router.  The router first sees a udp/500 packet as this
workstations wants to communicate securely.  Then following, the router will
see the icmp packet.  Contact the owner of the machine and ask him to set up
his Local Security Policy as "Client (Respond Only)".  This way, if users
attempt to set up security associations with that workstation, he will have
the ability to respond securely, but packets he initiates will be in the
clear and you won't see his traffic anymore.




Slan,

since two weeks now I am getting this traffic every half an hour. It is
firewalled, so it does no harm, but does anyone knows about similar
probes?

Security Violations
=-=-=-=-=-=-=-=-=-=
Mar  8 06:00:02 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17
203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11327 F=0x0000 T=115 (#81)
Mar  8 06:00:03 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17
203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11370 F=0x0000 T=115 (#81)
Mar  8 06:00:05 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17
203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11398 F=0x0000 T=115 (#81)
Mar  8 06:00:09 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17
203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11412 F=0x0000 T=115 (#81)
Mar  8 06:00:17 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17
203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11479 F=0x0000 T=115 (#81)
Mar  8 06:00:33 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17
203.30.32.23:500 62.208.181.42:500 L=708 S=0x00 I=11751 F=0x0000 T=115 (#81)
Mar  8 06:01:05 klammeraffe kernel: Packet log: input DENY eth0 PROTO=17
203.30.32.23:500 62.208.181.42:500 L=84 S=0x00 I=13238 F=0x0000 T=115 (#81)

Slainte agus saol agat,
        -mat-

PS:
When I hear a man applauded by the mob I always feel a pang of pity
for him.  All he has to do to be hissed is to live long enough.
                -- H.L. Mencken, "Minority Report"

--
-mat- filid brandy   brandy () klammeraffe org   MB210-RIPE
http://www.klammeraffe.org/~brandy/info/
PGP PUBLIC KEY CODE NUMBER E4118785
PGP fingerprint = D8102D77AA40514A6F610671297C5AB4

Current thread:

Probes on Port 500? -mat- filid brandy (Mar 08)
- Re: Probes on Port 500? Jason Witty (Mar 08)
- Re: Probes on Port 500? Jose Nazario (Mar 08)
- Re: Probes on Port 500? -mat- filid brandy (Mar 09)
- <Possible follow-ups>
- Re: Probes on Port 500? Suzanne . Hernandez (Mar 08)