Re: udp 500 packets when users are web browsing

["Robert Webb" <rwebb () ropeguru com>]

Yes, we are looking at this now.

Thanks for everyone's help. I think we are heading in the right direction 
tracking this down. This just showed up in our monitoring and makes sense as 
we just brought up a new locked down domain.

Robert


On Thu, 3 Sep 2015 10:19:53 -0400
 "Oliver O'Boyle" <oliver.oboyle () gmail com> wrote:
> You can configure Windows to encrypt traffic based on protocol 
> definitions.
> E.g., Use IPSEC to encrypt all traffic on port 80 between hosts X 
> and hosts
> Y.
>
> It's possible that such a policy is in place locally on the 
> workstations
> and/or servers and it's also possible that it's being enforced using 
> GPOs.
>
> On Thu, Sep 3, 2015 at 9:53 AM, Robert Webb <rwebb () ropeguru com> 
> wrote:
>
> > There is no VPN in the picture here. These are straight workstations 
> > on
> > the network that the packets are coming from.
> >
> > According to a pcaket capture in wireshark, these are isakmp packets
> > reaching out to host names of web sites that are being browsed. So
> > destinations are sites like twitter, facebook, amazon, cnn, etc..
> >
> > We have further discovered that they seem to be initiated from the 
> > Windows
> > 7 svchost, but we have not been able to find documentation as to how 
> > or why
> > this is ocurring.
> >
> > Robert
> >
> >
> > On Thu, 3 Sep 2015 13:42:21 +0000
> >  "Bjoern A. Zeeb" <bzeeb-lists () lists zabbadoz net> wrote:
> >
> > > On 03 Sep 2015, at 13:35 , Robert Webb <rwebb () ropeguru com> wrote:
> > > > We are seeing udp 500 packets being dropped at our firewall from 
> > > > user's
> > > > browsing sessions. These are users on a 2008 R2 AD setup with 
> > > > Windows 7.
> > > >
> > > > Source and destination ports are udp 500 and the the pattern of 
> > > > drops
> > > > directly correlate to the web browsing activity. We have confirmed 
> > > > this
> > > > with tcpdump of port 500 and a single host and watching the pattern 
> > > > of
> > > > traffic as they browse. This also occurs no matter what browser is 
> > > > used.
> > > >
> > > > Can anyone shine some light on what may be using udp 500 when web
> > > > browsing?
> > >
> > > The VPN using IPsec UDP-Encap connection that supposedly gets 
> > > through
> > > NAT?   Have you checked the content with tcpdump?   Do you have 
> > > fragments
> > > by any chance?
> --
> :o@>