Security Incidents mailing list archives
Re: UDP port 500 traffic from two clients
From: Glen Mehn <glen () squaretrade com>
Date: Mon, 28 Jan 2002 10:27:01 -0800
you could always add a line to blacklist them in your /etc/hosts.deny file. On Mon, Jan 28, 2002 at 08:27:19AM -0800, Chris Wilkes wrote:
I recently moved and changed IP addresses within my ISP's block and two IP addresses from mediaone.net and home.com hit me a couple of times a minute with a UDP request to port 500. Looking around on the net it appears this could be a machine trying to VPN into mine. Since this is the first time these addresses have shown up and they are just coming to and from port 500 I think their machines mine be misconfigured or there is a DNS entry out there that says my machine is the one that they want to get to. What's the best way to stop this? I sent an email off to the abuse address at the two ISPs (I'm sure that will go straight to /dev/null as they are really large) asking them to investigate, but is there anything else I should do? I setup a UDP server to capture the data that they are sending and the results of the two are at http://ladro.com/udp500.txt . They kept on repeating the same 219 bytes over and over. The pattern has since changed, but it looks like it is staying the same. Right now I'm sending back a UDP packet of "Go away" but I'm wondering if there is something else I can do. Is there some IKE message that tells them to give up or one that will send a message to their screen? Feel free to email me for more details. Chris ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- Glen S Mehn Lead Systems Administrator SquareTrade, Inc glen () squaretrade com Building Trust in Transactions (sm) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- UDP port 500 traffic from two clients Chris Wilkes (Jan 28)
- Re: UDP port 500 traffic from two clients Glen Mehn (Jan 28)
- Re: UDP port 500 traffic from two clients Gary Flynn (Jan 28)
- Re: UDP port 500 traffic from two clients Hugo van der Kooij (Jan 28)
- <Possible follow-ups>
- RE: UDP port 500 traffic from two clients McCammon, Keith (Jan 28)
- RE: UDP port 500 traffic from two clients Toni Heinonen (Jan 28)
- RE: UDP port 500 traffic from two clients Greg A. Woods (Jan 28)
- RE: UDP port 500 traffic from two clients Fernando Cardoso (Jan 29)
- RE: UDP port 500 traffic from two clients Greg A. Woods (Jan 29)
- RE: UDP port 500 traffic from two clients Greg A. Woods (Jan 28)