Re: UDP port 500 traffic from two clients

From: Glen Mehn (glenat_private)
Date: Mon Jan 28 2002 - 10:27:01 PST

  • Next message: McCammon, Keith: "RE: UDP port 500 traffic from two clients"

    you could always add a line to blacklist them in your /etc/hosts.deny file.
    
    
    
    On Mon, Jan 28, 2002 at 08:27:19AM -0800, Chris Wilkes wrote:
    > I recently moved and changed IP addresses within my ISP's block and two
    > IP addresses from mediaone.net and home.com hit me a couple of times a
    > minute with a UDP request to port 500.
    > 
    > Looking around on the net it appears this could be a machine trying to
    > VPN into mine.  Since this is the first time these addresses have shown
    > up and they are just coming to and from port 500 I think their machines
    > mine be misconfigured or there is a DNS entry out there that says my
    > machine is the one that they want to get to.
    > 
    > What's the best way to stop this?  I sent an email off to the abuse
    > address at the two ISPs (I'm sure that will go straight to /dev/null as
    > they are really large) asking them to investigate, but is there anything
    > else I should do?
    > 
    > I setup a UDP server to capture the data that they are sending and the
    > results of the two are at http://ladro.com/udp500.txt .  They kept on
    > repeating the same 219 bytes over and over.  The pattern has since
    > changed, but it looks like it is staying the same.
    > 
    > Right now I'm sending back a UDP packet of "Go away" but I'm wondering
    > if there is something else I can do.  Is there some IKE message that
    > tells them to give up or one that will send a message to their screen?
    > 
    > Feel free to email me for more details.
    > 
    > Chris
    > 
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    
    -- 
    Glen S Mehn
    Lead Systems Administrator		SquareTrade, Inc
    glenat_private	Building Trust in Transactions (sm)
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 10:56:37 PST