Re: Strange IPSEC traffic

[Tom Beecher <beecher () beecher cc>]

> Last week somebody on the internet started a campaign to scan and perhaps
> to exploit some zero day ipsec vulnerabilities.

I've seen traffic like this for the better part of at least the last 7
years, fairly consistently.

It's definitely not something new.

On Mon, Nov 13, 2023 at 12:42 PM Adrian Minta <adrian.minta () gmail com>
wrote:

> On 11/13/23 19:10, Shawn L via NANOG wrote:
>
> Is anyone else seeing a lot of 'strange' IPSEC traffic?  We started seeing
> logs of IPSEC with invalid spi on Friday.  We're seeing it on pretty much
> all of our PE routers, none of which are setup to do anything VPN related.
> Most are just routing local customer traffic.
>
>
>
> decaps: rec'd IPSEC packet has invalid spi for destaddr=X.X.X.X, prot=50,
> spi=0x9D2D0000(2636972032), srcaddr=211.112.195.167, input
> interface=TenGigabitEthernet0/0/11
>
>
>
> decaps: rec'd IPSEC packet has invalid spi for destaddr=Y.Y.Y.Y, prot=50,
> spi=0x14690000(342425600), srcaddr=74.116.56.244, input
> interface=TenGigabitEthernet0/0/5
>
>
>
> The destination address is always one of our customer's ip addresses.  The
> source seems to be all over the place, mostly Russia, Korea, China or south
> east asia.  It's not really impacting anything at the moment, just rather
> annoying.
>
>
>
> Thanks
>
>
>
> Shawn
>
>
> Hi Shawn,
>
> we saw a lot of syslog messages like these and the targets are cisco
> devices, some of witch, according to the data sheets, are not even capable
> of ipsec.
>
> Cisco is punting some ESP traffic to control plane on ios and ios-xe
> devices, regardless of the configuration.
>
> Last week somebody on the internet started a campaign to scan and perhaps
> to exploit some zero day ipsec vulnerabilities.
>
>
> This is the list of ip addresses we saw: https://pastebin.com/vrLRai9Q
>
>
>
> --
> Best regards,
> Adrian Minta