Security Incidents mailing list archives

RE: VPN connection attempts to resolvers?

From: "Coochey, Giles" <g.coochey () btinternet com>
Date: Thu, 4 Apr 2002 09:09:46 +0100

This is most likely innocent activity - probably a VPN client configured
somewhere with a mistyped peer IP address. Was the SYN flood you detected
from the same machine?

ISAKMP is usually the initial part of an IPsec authentication routine.

Thanks

Giles

-----Original Message-----
From: Mike Lewinski [mailto:mike () rockynet com]
Sent: 03 April 2002 23:41
To: incidents () securityfocus com
Subject: VPN connection attempts to resolvers?


We've observed what appear to be attempts to establish a VPN connection to
our caching-only resolvers. I have commented each of the packet
dumps below.
None of our nameservers provide any VPN services, and never have.

Since I am not a VPN expert, I'm wondering if anyone else can shed some
light on what might be going on here. Is this just a brain-dead VPN client
that's making bad assumptions about it's resolvers? Or is there something
more malicious going on? The traffic was picked up after a SYN
flood to one
of the DNS servers led to further investigation.


1) Source address belongs to University of Kentucky, and is most
definitely
NOT on our network. It made just this single attempt at one of
our NS whose
IP is munged as 192.168.1.2

10:16:06.861543 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
exchange ID_PROT
        cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid:
00000000 len: 824

10:16:07.880193 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
exchange ID_PROT
        cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid:
00000000 len: 824

10:16:09.924159 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
exchange ID_PROT
        cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid:
00000000 len: 824

10:16:14.017524 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
exchange ID_PROT
        cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid:
00000000 len: 824

10:16:22.237762 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
exchange ID_PROT
        cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid:
00000000 len: 824

10:16:38.849207 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
exchange ID_PROT
        cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid:
00000000 len: 824

10:17:11.801050 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
exchange INFO
        cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: 61f8b42c len: 56


2) Source address (munged as 10.10.10.2) is a client on our network, who
would have the 192.168.1.2 in their resolver list (yes, we're trying to
contact this owner to get more information).

12:44:33.013871 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 42d1fd3af522ccac->0000000000000000 msgid:
00000000 len: 584
12:44:34.013281 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 42d1fd3af522ccac->0000000000000000 msgid:
00000000 len: 584
12:44:36.029620 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 42d1fd3af522ccac->0000000000000000 msgid:
00000000 len: 584
12:44:40.045468 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 42d1fd3af522ccac->0000000000000000 msgid:
00000000 len: 584
12:44:48.080488 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 42d1fd3af522ccac->0000000000000000 msgid:
00000000 len: 584
12:45:04.108008 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 42d1fd3af522ccac->0000000000000000 msgid:
00000000 len: 584
12:45:36.139212 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0
exchange INFO
        cookie: 42d1fd3af522ccac->0000000000000000 msgid: 0ca4d811 len: 56

3) Same source address as #2 above to the other resolver here.

12:44:31.994895 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 40ddc79fba64eddc->0000000000000000 msgid:
00000000 len: 584
12:44:32.985435 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 40ddc79fba64eddc->0000000000000000 msgid:
00000000 len: 584
12:44:34.987583 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 40ddc79fba64eddc->0000000000000000 msgid:
00000000 len: 584
12:44:39.003313 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 40ddc79fba64eddc->0000000000000000 msgid:
00000000 len: 584
12:44:47.032735 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 40ddc79fba64eddc->0000000000000000 msgid:
00000000 len: 584
12:45:03.065870 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 40ddc79fba64eddc->0000000000000000 msgid:
00000000 len: 584
12:45:35.093469 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0
exchange INFO
        cookie: 40ddc79fba64eddc->0000000000000000 msgid: 2ffd6531 len: 56

4) Source IP 205.214.49.50 is NOT on our network and is not known to us as
belonging to a client.

15:03:04.587449 205.214.49.50.50926 > 192.168.1.2.500:  isakmp
v1.0 exchange
ID_PROT
        cookie: 8a916c9d9d2a418d->0000000000000000 msgid:
00000000 len: 904
15:03:05.613654 205.214.49.50.50926 > 192.168.1.2.500:  isakmp
v1.0 exchange
ID_PROT
        cookie: 8a916c9d9d2a418d->0000000000000000 msgid:
00000000 len: 904
15:03:07.645706 205.214.49.50.50926 > 192.168.1.2.500:  isakmp
v1.0 exchange
ID_PROT
        cookie: 8a916c9d9d2a418d->0000000000000000 msgid:
00000000 len: 904
15:03:09.578398 205.214.49.50.50941 > 192.168.1.2.500:  isakmp
v1.0 exchange
ID_PROT
        cookie: 46b9c64ee477376a->0000000000000000 msgid:
00000000 len: 904
15:03:10.594456 205.214.49.50.50941 > 192.168.1.2.500:  isakmp
v1.0 exchange
ID_PROT
        cookie: 46b9c64ee477376a->0000000000000000 msgid:
00000000 len: 904
15:03:11.770808 205.214.49.50.50926 > 192.168.1.2.500:  isakmp
v1.0 exchange
ID_PROT
        cookie: 8a916c9d9d2a418d->0000000000000000 msgid:
00000000 len: 904
15:03:12.593077 205.214.49.50.50941 > 192.168.1.2.500:  isakmp
v1.0 exchange
ID_PROT
        cookie: 46b9c64ee477376a->0000000000000000 msgid:
00000000 len: 904
15:03:16.627072 205.214.49.50.50941 > 192.168.1.2.500:  isakmp
v1.0 exchange
ID_PROT
        cookie: 46b9c64ee477376a->0000000000000000 msgid:
00000000 len: 904
15:03:19.848476 205.214.49.50.50926 > 192.168.1.2.500:  isakmp
v1.0 exchange
ID_PROT
        cookie: 8a916c9d9d2a418d->0000000000000000 msgid:
00000000 len: 904
15:03:24.704365 205.214.49.50.50941 > 192.168.1.2.500:  isakmp
v1.0 exchange
ID_PROT
        cookie: 46b9c64ee477376a->0000000000000000 msgid:
00000000 len: 904
15:03:35.988910 205.214.49.50.51028 > 192.168.1.2.500:  isakmp
v1.0 exchange
ID_PROT
        cookie: 8a916c9d9d2a418d->0000000000000000 msgid:
00000000 len: 904
15:03:40.781393 205.214.49.50.51042 > 192.168.1.2.500:  isakmp
v1.0 exchange
ID_PROT
        cookie: 46b9c64ee477376a->0000000000000000 msgid:
00000000 len: 904
15:04:08.311979 205.214.49.50.51125 > 192.168.1.2.500:  isakmp
v1.0 exchange
INFO
        cookie: 8a916c9d9d2a418d->0000000000000000 msgid: 7860f712 len: 56
15:04:12.947695 205.214.49.50.51142 > 192.168.1.2.500:  isakmp
v1.0 exchange
INFO
        cookie: 46b9c64ee477376a->0000000000000000 msgid: ad9ec40b len: 56



------------------------------------------------------------------
----------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

VPN connection attempts to resolvers? Mike Lewinski (Apr 03)
- RE: VPN connection attempts to resolvers? Coochey, Giles (Apr 04)
- Re: VPN connection attempts to resolvers? Valdis . Kletnieks (Apr 04)
- RE: VPN connection attempts to resolvers? Bill Royds (Apr 04)
- <Possible follow-ups>
- RE: VPN connection attempts to resolvers? Toni Heinonen (Apr 04)