Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: VPN connection attempts to resolvers?

From: "Bill Royds" <sf-lists () royds net>
Date: Wed, 3 Apr 2002 19:58:33 -0500
This may be a Free S/Wan client or a Windows 2000 client configured with "opportunistic" encryption. By default, they 
will first try IPSEC connections (UDP port 500 as in your trace) to attempt a secure connection. If there is no 
response, they will then try a normal TCP connection.
Try connecting to the source with IPSEC and see if it responds.

-----Original Message-----
From: Mike Lewinski [mailto:mike () rockynet com]
Sent: Wed April 03 2002 17:41
To: incidents () securityfocus com
Subject: VPN connection attempts to resolvers?


We've observed what appear to be attempts to establish a VPN connection to
our caching-only resolvers. I have commented each of the packet dumps below.
None of our nameservers provide any VPN services, and never have.

Since I am not a VPN expert, I'm wondering if anyone else can shed some
light on what might be going on here. Is this just a brain-dead VPN client
that's making bad assumptions about it's resolvers? Or is there something
more malicious going on? The traffic was picked up after a SYN flood to one
of the DNS servers led to further investigation.


1) Source address belongs to University of Kentucky, and is most definitely
NOT on our network. It made just this single attempt at one of our NS whose
IP is munged as 192.168.1.2

10:16:06.861543 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
exchange ID_PROT
        cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: 00000000 len: 824

10:16:07.880193 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
exchange ID_PROT
        cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: 00000000 len: 824

10:16:09.924159 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
exchange ID_PROT
        cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: 00000000 len: 824

10:16:14.017524 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
exchange ID_PROT
        cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: 00000000 len: 824

10:16:22.237762 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
exchange ID_PROT
        cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: 00000000 len: 824

10:16:38.849207 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
exchange ID_PROT
        cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: 00000000 len: 824

10:17:11.801050 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
exchange INFO
        cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: 61f8b42c len: 56


2) Source address (munged as 10.10.10.2) is a client on our network, who
would have the 192.168.1.2 in their resolver list (yes, we're trying to
contact this owner to get more information).

12:44:33.013871 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 42d1fd3af522ccac->0000000000000000 msgid: 00000000 len: 584
12:44:34.013281 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 42d1fd3af522ccac->0000000000000000 msgid: 00000000 len: 584
12:44:36.029620 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 42d1fd3af522ccac->0000000000000000 msgid: 00000000 len: 584
12:44:40.045468 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 42d1fd3af522ccac->0000000000000000 msgid: 00000000 len: 584
12:44:48.080488 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 42d1fd3af522ccac->0000000000000000 msgid: 00000000 len: 584
12:45:04.108008 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 42d1fd3af522ccac->0000000000000000 msgid: 00000000 len: 584
12:45:36.139212 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0 exchange INFO
        cookie: 42d1fd3af522ccac->0000000000000000 msgid: 0ca4d811 len: 56

3) Same source address as #2 above to the other resolver here.

12:44:31.994895 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 40ddc79fba64eddc->0000000000000000 msgid: 00000000 len: 584
12:44:32.985435 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 40ddc79fba64eddc->0000000000000000 msgid: 00000000 len: 584
12:44:34.987583 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 40ddc79fba64eddc->0000000000000000 msgid: 00000000 len: 584
12:44:39.003313 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 40ddc79fba64eddc->0000000000000000 msgid: 00000000 len: 584
12:44:47.032735 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 40ddc79fba64eddc->0000000000000000 msgid: 00000000 len: 584
12:45:03.065870 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 40ddc79fba64eddc->0000000000000000 msgid: 00000000 len: 584
12:45:35.093469 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0 exchange INFO
        cookie: 40ddc79fba64eddc->0000000000000000 msgid: 2ffd6531 len: 56

4) Source IP 205.214.49.50 is NOT on our network and is not known to us as
belonging to a client.

15:03:04.587449 205.214.49.50.50926 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 8a916c9d9d2a418d->0000000000000000 msgid: 00000000 len: 904
15:03:05.613654 205.214.49.50.50926 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 8a916c9d9d2a418d->0000000000000000 msgid: 00000000 len: 904
15:03:07.645706 205.214.49.50.50926 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 8a916c9d9d2a418d->0000000000000000 msgid: 00000000 len: 904
15:03:09.578398 205.214.49.50.50941 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 46b9c64ee477376a->0000000000000000 msgid: 00000000 len: 904
15:03:10.594456 205.214.49.50.50941 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 46b9c64ee477376a->0000000000000000 msgid: 00000000 len: 904
15:03:11.770808 205.214.49.50.50926 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 8a916c9d9d2a418d->0000000000000000 msgid: 00000000 len: 904
15:03:12.593077 205.214.49.50.50941 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 46b9c64ee477376a->0000000000000000 msgid: 00000000 len: 904
15:03:16.627072 205.214.49.50.50941 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 46b9c64ee477376a->0000000000000000 msgid: 00000000 len: 904
15:03:19.848476 205.214.49.50.50926 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 8a916c9d9d2a418d->0000000000000000 msgid: 00000000 len: 904
15:03:24.704365 205.214.49.50.50941 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 46b9c64ee477376a->0000000000000000 msgid: 00000000 len: 904
15:03:35.988910 205.214.49.50.51028 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 8a916c9d9d2a418d->0000000000000000 msgid: 00000000 len: 904
15:03:40.781393 205.214.49.50.51042 > 192.168.1.2.500:  isakmp v1.0 exchange
ID_PROT
        cookie: 46b9c64ee477376a->0000000000000000 msgid: 00000000 len: 904
15:04:08.311979 205.214.49.50.51125 > 192.168.1.2.500:  isakmp v1.0 exchange
INFO
        cookie: 8a916c9d9d2a418d->0000000000000000 msgid: 7860f712 len: 56
15:04:12.947695 205.214.49.50.51142 > 192.168.1.2.500:  isakmp v1.0 exchange
INFO
        cookie: 46b9c64ee477376a->0000000000000000 msgid: ad9ec40b len: 56



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: