UDP port 500 traffic from two clients

From: Chris Wilkes (cwilkesat_private)
Date: Mon Jan 28 2002 - 08:27:19 PST

  • Next message: Wichert Akkerman: "Re: DDoS attack."

    I recently moved and changed IP addresses within my ISP's block and two
    IP addresses from mediaone.net and home.com hit me a couple of times a
    minute with a UDP request to port 500.
    
    Looking around on the net it appears this could be a machine trying to
    VPN into mine.  Since this is the first time these addresses have shown
    up and they are just coming to and from port 500 I think their machines
    mine be misconfigured or there is a DNS entry out there that says my
    machine is the one that they want to get to.
    
    What's the best way to stop this?  I sent an email off to the abuse
    address at the two ISPs (I'm sure that will go straight to /dev/null as
    they are really large) asking them to investigate, but is there anything
    else I should do?
    
    I setup a UDP server to capture the data that they are sending and the
    results of the two are at http://ladro.com/udp500.txt .  They kept on
    repeating the same 219 bytes over and over.  The pattern has since
    changed, but it looks like it is staying the same.
    
    Right now I'm sending back a UDP packet of "Go away" but I'm wondering
    if there is something else I can do.  Is there some IKE message that
    tells them to give up or one that will send a message to their screen?
    
    Feel free to email me for more details.
    
    Chris
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 10:31:03 PST