This is most likely innocent activity - probably a VPN client configured somewhere with a mistyped peer IP address. Was the SYN flood you detected from the same machine? ISAKMP is usually the initial part of an IPsec authentication routine. Thanks Giles > -----Original Message----- > From: Mike Lewinski [mailto:mikeat_private] > Sent: 03 April 2002 23:41 > To: incidentsat_private > Subject: VPN connection attempts to resolvers? > > > We've observed what appear to be attempts to establish a VPN connection to > our caching-only resolvers. I have commented each of the packet > dumps below. > None of our nameservers provide any VPN services, and never have. > > Since I am not a VPN expert, I'm wondering if anyone else can shed some > light on what might be going on here. Is this just a brain-dead VPN client > that's making bad assumptions about it's resolvers? Or is there something > more malicious going on? The traffic was picked up after a SYN > flood to one > of the DNS servers led to further investigation. > > > 1) Source address belongs to University of Kentucky, and is most > definitely > NOT on our network. It made just this single attempt at one of > our NS whose > IP is munged as 192.168.1.2 > > 10:16:06.861543 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0 > exchange ID_PROT > cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: > 00000000 len: 824 > > 10:16:07.880193 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0 > exchange ID_PROT > cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: > 00000000 len: 824 > > 10:16:09.924159 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0 > exchange ID_PROT > cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: > 00000000 len: 824 > > 10:16:14.017524 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0 > exchange ID_PROT > cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: > 00000000 len: 824 > > 10:16:22.237762 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0 > exchange ID_PROT > cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: > 00000000 len: 824 > > 10:16:38.849207 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0 > exchange ID_PROT > cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: > 00000000 len: 824 > > 10:17:11.801050 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0 > exchange INFO > cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: 61f8b42c len: 56 > > > 2) Source address (munged as 10.10.10.2) is a client on our network, who > would have the 192.168.1.2 in their resolver list (yes, we're trying to > contact this owner to get more information). > > 12:44:33.013871 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 exchange > ID_PROT > cookie: 42d1fd3af522ccac->0000000000000000 msgid: > 00000000 len: 584 > 12:44:34.013281 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 exchange > ID_PROT > cookie: 42d1fd3af522ccac->0000000000000000 msgid: > 00000000 len: 584 > 12:44:36.029620 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 exchange > ID_PROT > cookie: 42d1fd3af522ccac->0000000000000000 msgid: > 00000000 len: 584 > 12:44:40.045468 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 exchange > ID_PROT > cookie: 42d1fd3af522ccac->0000000000000000 msgid: > 00000000 len: 584 > 12:44:48.080488 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 exchange > ID_PROT > cookie: 42d1fd3af522ccac->0000000000000000 msgid: > 00000000 len: 584 > 12:45:04.108008 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 exchange > ID_PROT > cookie: 42d1fd3af522ccac->0000000000000000 msgid: > 00000000 len: 584 > 12:45:36.139212 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 > exchange INFO > cookie: 42d1fd3af522ccac->0000000000000000 msgid: 0ca4d811 len: 56 > > 3) Same source address as #2 above to the other resolver here. > > 12:44:31.994895 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 exchange > ID_PROT > cookie: 40ddc79fba64eddc->0000000000000000 msgid: > 00000000 len: 584 > 12:44:32.985435 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 exchange > ID_PROT > cookie: 40ddc79fba64eddc->0000000000000000 msgid: > 00000000 len: 584 > 12:44:34.987583 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 exchange > ID_PROT > cookie: 40ddc79fba64eddc->0000000000000000 msgid: > 00000000 len: 584 > 12:44:39.003313 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 exchange > ID_PROT > cookie: 40ddc79fba64eddc->0000000000000000 msgid: > 00000000 len: 584 > 12:44:47.032735 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 exchange > ID_PROT > cookie: 40ddc79fba64eddc->0000000000000000 msgid: > 00000000 len: 584 > 12:45:03.065870 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 exchange > ID_PROT > cookie: 40ddc79fba64eddc->0000000000000000 msgid: > 00000000 len: 584 > 12:45:35.093469 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 > exchange INFO > cookie: 40ddc79fba64eddc->0000000000000000 msgid: 2ffd6531 len: 56 > > 4) Source IP 205.214.49.50 is NOT on our network and is not known to us as > belonging to a client. > > 15:03:04.587449 205.214.49.50.50926 > 192.168.1.2.500: isakmp > v1.0 exchange > ID_PROT > cookie: 8a916c9d9d2a418d->0000000000000000 msgid: > 00000000 len: 904 > 15:03:05.613654 205.214.49.50.50926 > 192.168.1.2.500: isakmp > v1.0 exchange > ID_PROT > cookie: 8a916c9d9d2a418d->0000000000000000 msgid: > 00000000 len: 904 > 15:03:07.645706 205.214.49.50.50926 > 192.168.1.2.500: isakmp > v1.0 exchange > ID_PROT > cookie: 8a916c9d9d2a418d->0000000000000000 msgid: > 00000000 len: 904 > 15:03:09.578398 205.214.49.50.50941 > 192.168.1.2.500: isakmp > v1.0 exchange > ID_PROT > cookie: 46b9c64ee477376a->0000000000000000 msgid: > 00000000 len: 904 > 15:03:10.594456 205.214.49.50.50941 > 192.168.1.2.500: isakmp > v1.0 exchange > ID_PROT > cookie: 46b9c64ee477376a->0000000000000000 msgid: > 00000000 len: 904 > 15:03:11.770808 205.214.49.50.50926 > 192.168.1.2.500: isakmp > v1.0 exchange > ID_PROT > cookie: 8a916c9d9d2a418d->0000000000000000 msgid: > 00000000 len: 904 > 15:03:12.593077 205.214.49.50.50941 > 192.168.1.2.500: isakmp > v1.0 exchange > ID_PROT > cookie: 46b9c64ee477376a->0000000000000000 msgid: > 00000000 len: 904 > 15:03:16.627072 205.214.49.50.50941 > 192.168.1.2.500: isakmp > v1.0 exchange > ID_PROT > cookie: 46b9c64ee477376a->0000000000000000 msgid: > 00000000 len: 904 > 15:03:19.848476 205.214.49.50.50926 > 192.168.1.2.500: isakmp > v1.0 exchange > ID_PROT > cookie: 8a916c9d9d2a418d->0000000000000000 msgid: > 00000000 len: 904 > 15:03:24.704365 205.214.49.50.50941 > 192.168.1.2.500: isakmp > v1.0 exchange > ID_PROT > cookie: 46b9c64ee477376a->0000000000000000 msgid: > 00000000 len: 904 > 15:03:35.988910 205.214.49.50.51028 > 192.168.1.2.500: isakmp > v1.0 exchange > ID_PROT > cookie: 8a916c9d9d2a418d->0000000000000000 msgid: > 00000000 len: 904 > 15:03:40.781393 205.214.49.50.51042 > 192.168.1.2.500: isakmp > v1.0 exchange > ID_PROT > cookie: 46b9c64ee477376a->0000000000000000 msgid: > 00000000 len: 904 > 15:04:08.311979 205.214.49.50.51125 > 192.168.1.2.500: isakmp > v1.0 exchange > INFO > cookie: 8a916c9d9d2a418d->0000000000000000 msgid: 7860f712 len: 56 > 15:04:12.947695 205.214.49.50.51142 > 192.168.1.2.500: isakmp > v1.0 exchange > INFO > cookie: 46b9c64ee477376a->0000000000000000 msgid: ad9ec40b len: 56 > > > > ------------------------------------------------------------------ > ---------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Apr 04 2002 - 09:40:41 PST