RE: UDP port 500 traffic from two clients

From: Toni Heinonen (Toni.Heinonenat_private)
Date: Mon Jan 28 2002 - 13:33:27 PST

  • Next message: Greg A. Woods: "RE: UDP port 500 traffic from two clients"

    > Right now I'm sending back a UDP packet of "Go away" but I'm wondering
    > if there is something else I can do.  Is there some IKE message that
    > tells them to give up or one that will send a message to their screen?
    
    Hello!
    
    In 99 % of these cases there is absolutely nothing malicious about the traffic. You know, IPSec isn't used only for VPN? As a matter of fact, you can (as many people have done) configure your Windows 2000 to encrypt ABSOLUTELY ALL traffic. So, IPSec could be used as a substitute for SSH, TLS or other encryption mechanisms. IPSec is better than the previous in the fact that it can be used to protect ANY kind of IP-traffic. There is nothing malicious anyone could do by establishing an IPSec tunnel to your computer, except of course bypassing a poorly configured firewall (if you are worried about this in your firewall, block ESP and AH).
    
    For instance, some people in my company put 'opportunistic IPSec' on in the Win2k computers, and one day we had a phone call from another company's IT staff, where they were very worried at us trying to hack through their firewall with a VPN tunnel. Of course, nothing like this was happening, our people were simply accessing the other company's web pages.
    
    As for Nimda/Code Red infected servers doing the same, the idea is exactly the same. The servers have simply been configured by their owners to try and negotiate IPSec-protection for all traffic, and when they start making connections (be it user-initiated or connections made by the worm) they first try to negotiate IPSec.
    
    There IS a bug in IKE which allows a DoS attack - just make an IKE connection and give a screwed up certificate as the ID. It takes quite a while to certify the certificate, and there's difficult mathematics involved. This means that a malicious attacker could make multiple simultaneous connections to your computer's IKE facility and give lots of these screwed up certificates, thereby making your computer's CPU usage percent rise to 90-95.
    
    However, in your case the traffic looks nothing like this. You shouldn't be worried. As a matter of fact, maybe you should configure your computer to answer IKE-negotiations, so random computers in the Internet could encrypt their traffic to you :) Of course, I don't know many public web servers or the like that would have been configured to request IPSec.
    
    -- 
    Toni Heinonen, CISSP
    Teleware Oy
    +358 40 836 1815
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 13:37:24 PST