Re: udp 500 packets when users are web browsing

[Chuck Anderson <cra () WPI EDU>]

Sounds like Opportunistic Encryption.

https://en.wikipedia.org/wiki/Opportunistic_encryption#Windows_OS

On Thu, Sep 03, 2015 at 09:53:46AM -0400, Robert Webb wrote:
> There is no VPN in the picture here. These are straight workstations
> on the network that the packets are coming from.
>
> According to a pcaket capture in wireshark, these are isakmp packets
> reaching out to host names of web sites that are being browsed. So
> destinations are sites like twitter, facebook, amazon, cnn, etc..
>
> We have further discovered that they seem to be initiated from the
> Windows 7 svchost, but we have not been able to find documentation
> as to how or why this is ocurring.
>
> Robert
>
>
> On Thu, 3 Sep 2015 13:42:21 +0000
>  "Bjoern A. Zeeb" <bzeeb-lists () lists zabbadoz net> wrote:
> > > On 03 Sep 2015, at 13:35 , Robert Webb <rwebb () ropeguru com> wrote:
> > >
> > > We are seeing udp 500 packets being dropped at our firewall from
> > > user's browsing sessions. These are users on a 2008 R2 AD setup
> > > with Windows 7.
> > >
> > > Source and destination ports are udp 500 and the the pattern of
> > > drops directly correlate to the web browsing activity. We have
> > > confirmed this with tcpdump of port 500 and a single host and
> > > watching the pattern of traffic as they browse. This also occurs
> > > no matter what browser is used.
> > >
> > > Can anyone shine some light on what may be using udp 500 when
> > > web browsing?
> >
> > The VPN using IPsec UDP-Encap connection that supposedly gets
> > through NAT?   Have you checked the content with tcpdump?   Do you
> > have fragments by any chance?