Re: udp 500 packets when users are web browsing

["Oliver O'Boyle" <oliver.oboyle () gmail com>]

You can configure Windows to encrypt traffic based on protocol definitions.
E.g., Use IPSEC to encrypt all traffic on port 80 between hosts X and hosts
Y.

It's possible that such a policy is in place locally on the workstations
and/or servers and it's also possible that it's being enforced using GPOs.

On Thu, Sep 3, 2015 at 9:53 AM, Robert Webb <rwebb () ropeguru com> wrote:

> There is no VPN in the picture here. These are straight workstations on
> the network that the packets are coming from.
>
> According to a pcaket capture in wireshark, these are isakmp packets
> reaching out to host names of web sites that are being browsed. So
> destinations are sites like twitter, facebook, amazon, cnn, etc..
>
> We have further discovered that they seem to be initiated from the Windows
> 7 svchost, but we have not been able to find documentation as to how or why
> this is ocurring.
>
> Robert
>
>
>
> On Thu, 3 Sep 2015 13:42:21 +0000
>  "Bjoern A. Zeeb" <bzeeb-lists () lists zabbadoz net> wrote:
>
> > On 03 Sep 2015, at 13:35 , Robert Webb <rwebb () ropeguru com> wrote:
> > > We are seeing udp 500 packets being dropped at our firewall from user's
> > > browsing sessions. These are users on a 2008 R2 AD setup with Windows 7.
> > >
> > > Source and destination ports are udp 500 and the the pattern of drops
> > > directly correlate to the web browsing activity. We have confirmed this
> > > with tcpdump of port 500 and a single host and watching the pattern of
> > > traffic as they browse. This also occurs no matter what browser is used.
> > >
> > > Can anyone shine some light on what may be using udp 500 when web
> > > browsing?
> >
> > The VPN using IPsec UDP-Encap connection that supposedly gets through
> > NAT?   Have you checked the content with tcpdump?   Do you have fragments
> > by any chance?


-- 
:o@>