RE: VPN connection attempts to resolvers?

From: Coochey, Giles (g.coocheyat_private)
Date: Thu Apr 04 2002 - 00:09:46 PST

  • Next message: Toni Heinonen: "RE: VPN connection attempts to resolvers?"

    This is most likely innocent activity - probably a VPN client configured
    somewhere with a mistyped peer IP address. Was the SYN flood you detected
    from the same machine?
    
    ISAKMP is usually the initial part of an IPsec authentication routine.
    
    Thanks
    
    Giles
    
    > -----Original Message-----
    > From: Mike Lewinski [mailto:mikeat_private]
    > Sent: 03 April 2002 23:41
    > To: incidentsat_private
    > Subject: VPN connection attempts to resolvers?
    >
    >
    > We've observed what appear to be attempts to establish a VPN connection to
    > our caching-only resolvers. I have commented each of the packet
    > dumps below.
    > None of our nameservers provide any VPN services, and never have.
    >
    > Since I am not a VPN expert, I'm wondering if anyone else can shed some
    > light on what might be going on here. Is this just a brain-dead VPN client
    > that's making bad assumptions about it's resolvers? Or is there something
    > more malicious going on? The traffic was picked up after a SYN
    > flood to one
    > of the DNS servers led to further investigation.
    >
    >
    > 1) Source address belongs to University of Kentucky, and is most
    > definitely
    > NOT on our network. It made just this single attempt at one of
    > our NS whose
    > IP is munged as 192.168.1.2
    >
    > 10:16:06.861543 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
    > exchange ID_PROT
    >         cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid:
    > 00000000 len: 824
    >
    > 10:16:07.880193 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
    > exchange ID_PROT
    >         cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid:
    > 00000000 len: 824
    >
    > 10:16:09.924159 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
    > exchange ID_PROT
    >         cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid:
    > 00000000 len: 824
    >
    > 10:16:14.017524 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
    > exchange ID_PROT
    >         cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid:
    > 00000000 len: 824
    >
    > 10:16:22.237762 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
    > exchange ID_PROT
    >         cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid:
    > 00000000 len: 824
    >
    > 10:16:38.849207 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
    > exchange ID_PROT
    >         cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid:
    > 00000000 len: 824
    >
    > 10:17:11.801050 128.163.130.31.500 > 192.168.1.2.500:  isakmp v1.0
    > exchange INFO
    >         cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: 61f8b42c len: 56
    >
    >
    > 2) Source address (munged as 10.10.10.2) is a client on our network, who
    > would have the 192.168.1.2 in their resolver list (yes, we're trying to
    > contact this owner to get more information).
    >
    > 12:44:33.013871 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0 exchange
    > ID_PROT
    >         cookie: 42d1fd3af522ccac->0000000000000000 msgid:
    > 00000000 len: 584
    > 12:44:34.013281 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0 exchange
    > ID_PROT
    >         cookie: 42d1fd3af522ccac->0000000000000000 msgid:
    > 00000000 len: 584
    > 12:44:36.029620 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0 exchange
    > ID_PROT
    >         cookie: 42d1fd3af522ccac->0000000000000000 msgid:
    > 00000000 len: 584
    > 12:44:40.045468 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0 exchange
    > ID_PROT
    >         cookie: 42d1fd3af522ccac->0000000000000000 msgid:
    > 00000000 len: 584
    > 12:44:48.080488 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0 exchange
    > ID_PROT
    >         cookie: 42d1fd3af522ccac->0000000000000000 msgid:
    > 00000000 len: 584
    > 12:45:04.108008 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0 exchange
    > ID_PROT
    >         cookie: 42d1fd3af522ccac->0000000000000000 msgid:
    > 00000000 len: 584
    > 12:45:36.139212 10.10.10.2.500 > 192.168.1.2.500:  isakmp v1.0
    > exchange INFO
    >         cookie: 42d1fd3af522ccac->0000000000000000 msgid: 0ca4d811 len: 56
    >
    > 3) Same source address as #2 above to the other resolver here.
    >
    > 12:44:31.994895 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0 exchange
    > ID_PROT
    >         cookie: 40ddc79fba64eddc->0000000000000000 msgid:
    > 00000000 len: 584
    > 12:44:32.985435 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0 exchange
    > ID_PROT
    >         cookie: 40ddc79fba64eddc->0000000000000000 msgid:
    > 00000000 len: 584
    > 12:44:34.987583 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0 exchange
    > ID_PROT
    >         cookie: 40ddc79fba64eddc->0000000000000000 msgid:
    > 00000000 len: 584
    > 12:44:39.003313 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0 exchange
    > ID_PROT
    >         cookie: 40ddc79fba64eddc->0000000000000000 msgid:
    > 00000000 len: 584
    > 12:44:47.032735 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0 exchange
    > ID_PROT
    >         cookie: 40ddc79fba64eddc->0000000000000000 msgid:
    > 00000000 len: 584
    > 12:45:03.065870 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0 exchange
    > ID_PROT
    >         cookie: 40ddc79fba64eddc->0000000000000000 msgid:
    > 00000000 len: 584
    > 12:45:35.093469 10.10.10.2.500 > 192.168.1.3.500:  isakmp v1.0
    > exchange INFO
    >         cookie: 40ddc79fba64eddc->0000000000000000 msgid: 2ffd6531 len: 56
    >
    > 4) Source IP 205.214.49.50 is NOT on our network and is not known to us as
    > belonging to a client.
    >
    > 15:03:04.587449 205.214.49.50.50926 > 192.168.1.2.500:  isakmp
    > v1.0 exchange
    > ID_PROT
    >         cookie: 8a916c9d9d2a418d->0000000000000000 msgid:
    > 00000000 len: 904
    > 15:03:05.613654 205.214.49.50.50926 > 192.168.1.2.500:  isakmp
    > v1.0 exchange
    > ID_PROT
    >         cookie: 8a916c9d9d2a418d->0000000000000000 msgid:
    > 00000000 len: 904
    > 15:03:07.645706 205.214.49.50.50926 > 192.168.1.2.500:  isakmp
    > v1.0 exchange
    > ID_PROT
    >         cookie: 8a916c9d9d2a418d->0000000000000000 msgid:
    > 00000000 len: 904
    > 15:03:09.578398 205.214.49.50.50941 > 192.168.1.2.500:  isakmp
    > v1.0 exchange
    > ID_PROT
    >         cookie: 46b9c64ee477376a->0000000000000000 msgid:
    > 00000000 len: 904
    > 15:03:10.594456 205.214.49.50.50941 > 192.168.1.2.500:  isakmp
    > v1.0 exchange
    > ID_PROT
    >         cookie: 46b9c64ee477376a->0000000000000000 msgid:
    > 00000000 len: 904
    > 15:03:11.770808 205.214.49.50.50926 > 192.168.1.2.500:  isakmp
    > v1.0 exchange
    > ID_PROT
    >         cookie: 8a916c9d9d2a418d->0000000000000000 msgid:
    > 00000000 len: 904
    > 15:03:12.593077 205.214.49.50.50941 > 192.168.1.2.500:  isakmp
    > v1.0 exchange
    > ID_PROT
    >         cookie: 46b9c64ee477376a->0000000000000000 msgid:
    > 00000000 len: 904
    > 15:03:16.627072 205.214.49.50.50941 > 192.168.1.2.500:  isakmp
    > v1.0 exchange
    > ID_PROT
    >         cookie: 46b9c64ee477376a->0000000000000000 msgid:
    > 00000000 len: 904
    > 15:03:19.848476 205.214.49.50.50926 > 192.168.1.2.500:  isakmp
    > v1.0 exchange
    > ID_PROT
    >         cookie: 8a916c9d9d2a418d->0000000000000000 msgid:
    > 00000000 len: 904
    > 15:03:24.704365 205.214.49.50.50941 > 192.168.1.2.500:  isakmp
    > v1.0 exchange
    > ID_PROT
    >         cookie: 46b9c64ee477376a->0000000000000000 msgid:
    > 00000000 len: 904
    > 15:03:35.988910 205.214.49.50.51028 > 192.168.1.2.500:  isakmp
    > v1.0 exchange
    > ID_PROT
    >         cookie: 8a916c9d9d2a418d->0000000000000000 msgid:
    > 00000000 len: 904
    > 15:03:40.781393 205.214.49.50.51042 > 192.168.1.2.500:  isakmp
    > v1.0 exchange
    > ID_PROT
    >         cookie: 46b9c64ee477376a->0000000000000000 msgid:
    > 00000000 len: 904
    > 15:04:08.311979 205.214.49.50.51125 > 192.168.1.2.500:  isakmp
    > v1.0 exchange
    > INFO
    >         cookie: 8a916c9d9d2a418d->0000000000000000 msgid: 7860f712 len: 56
    > 15:04:12.947695 205.214.49.50.51142 > 192.168.1.2.500:  isakmp
    > v1.0 exchange
    > INFO
    >         cookie: 46b9c64ee477376a->0000000000000000 msgid: ad9ec40b len: 56
    >
    >
    >
    > ------------------------------------------------------------------
    > ----------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Apr 04 2002 - 09:40:41 PST