RE: UDP port 500 traffic from two clients

["Toni Heinonen" <Toni.Heinonen () teleware fi>]

> Right now I'm sending back a UDP packet of "Go away" but I'm wondering
> if there is something else I can do.  Is there some IKE message that
> tells them to give up or one that will send a message to their screen?

Hello!

In 99 % of these cases there is absolutely nothing malicious about the traffic. You know, IPSec isn't used only for 
VPN? As a matter of fact, you can (as many people have done) configure your Windows 2000 to encrypt ABSOLUTELY ALL 
traffic. So, IPSec could be used as a substitute for SSH, TLS or other encryption mechanisms. IPSec is better than the 
previous in the fact that it can be used to protect ANY kind of IP-traffic. There is nothing malicious anyone could do 
by establishing an IPSec tunnel to your computer, except of course bypassing a poorly configured firewall (if you are 
worried about this in your firewall, block ESP and AH).

For instance, some people in my company put 'opportunistic IPSec' on in the Win2k computers, and one day we had a phone 
call from another company's IT staff, where they were very worried at us trying to hack through their firewall with a 
VPN tunnel. Of course, nothing like this was happening, our people were simply accessing the other company's web pages.

As for Nimda/Code Red infected servers doing the same, the idea is exactly the same. The servers have simply been 
configured by their owners to try and negotiate IPSec-protection for all traffic, and when they start making 
connections (be it user-initiated or connections made by the worm) they first try to negotiate IPSec.

There IS a bug in IKE which allows a DoS attack - just make an IKE connection and give a screwed up certificate as the 
ID. It takes quite a while to certify the certificate, and there's difficult mathematics involved. This means that a 
malicious attacker could make multiple simultaneous connections to your computer's IKE facility and give lots of these 
screwed up certificates, thereby making your computer's CPU usage percent rise to 90-95.

However, in your case the traffic looks nothing like this. You shouldn't be worried. As a matter of fact, maybe you 
should configure your computer to answer IKE-negotiations, so random computers in the Internet could encrypt their 
traffic to you :) Of course, I don't know many public web servers or the like that would have been configured to 
request IPSec.

-- 
Toni Heinonen, CISSP
Teleware Oy
+358 40 836 1815

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com