This may be a Free S/Wan client or a Windows 2000 client configured with "opportunistic" encryption. By default, they will first try IPSEC connections (UDP port 500 as in your trace) to attempt a secure connection. If there is no response, they will then try a normal TCP connection. Try connecting to the source with IPSEC and see if it responds. -----Original Message----- From: Mike Lewinski [mailto:mikeat_private] Sent: Wed April 03 2002 17:41 To: incidentsat_private Subject: VPN connection attempts to resolvers? We've observed what appear to be attempts to establish a VPN connection to our caching-only resolvers. I have commented each of the packet dumps below. None of our nameservers provide any VPN services, and never have. Since I am not a VPN expert, I'm wondering if anyone else can shed some light on what might be going on here. Is this just a brain-dead VPN client that's making bad assumptions about it's resolvers? Or is there something more malicious going on? The traffic was picked up after a SYN flood to one of the DNS servers led to further investigation. 1) Source address belongs to University of Kentucky, and is most definitely NOT on our network. It made just this single attempt at one of our NS whose IP is munged as 192.168.1.2 10:16:06.861543 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: 00000000 len: 824 10:16:07.880193 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: 00000000 len: 824 10:16:09.924159 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: 00000000 len: 824 10:16:14.017524 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: 00000000 len: 824 10:16:22.237762 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: 00000000 len: 824 10:16:38.849207 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: 00000000 len: 824 10:17:11.801050 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0 exchange INFO cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: 61f8b42c len: 56 2) Source address (munged as 10.10.10.2) is a client on our network, who would have the 192.168.1.2 in their resolver list (yes, we're trying to contact this owner to get more information). 12:44:33.013871 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 42d1fd3af522ccac->0000000000000000 msgid: 00000000 len: 584 12:44:34.013281 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 42d1fd3af522ccac->0000000000000000 msgid: 00000000 len: 584 12:44:36.029620 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 42d1fd3af522ccac->0000000000000000 msgid: 00000000 len: 584 12:44:40.045468 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 42d1fd3af522ccac->0000000000000000 msgid: 00000000 len: 584 12:44:48.080488 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 42d1fd3af522ccac->0000000000000000 msgid: 00000000 len: 584 12:45:04.108008 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 42d1fd3af522ccac->0000000000000000 msgid: 00000000 len: 584 12:45:36.139212 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 exchange INFO cookie: 42d1fd3af522ccac->0000000000000000 msgid: 0ca4d811 len: 56 3) Same source address as #2 above to the other resolver here. 12:44:31.994895 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 exchange ID_PROT cookie: 40ddc79fba64eddc->0000000000000000 msgid: 00000000 len: 584 12:44:32.985435 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 exchange ID_PROT cookie: 40ddc79fba64eddc->0000000000000000 msgid: 00000000 len: 584 12:44:34.987583 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 exchange ID_PROT cookie: 40ddc79fba64eddc->0000000000000000 msgid: 00000000 len: 584 12:44:39.003313 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 exchange ID_PROT cookie: 40ddc79fba64eddc->0000000000000000 msgid: 00000000 len: 584 12:44:47.032735 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 exchange ID_PROT cookie: 40ddc79fba64eddc->0000000000000000 msgid: 00000000 len: 584 12:45:03.065870 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 exchange ID_PROT cookie: 40ddc79fba64eddc->0000000000000000 msgid: 00000000 len: 584 12:45:35.093469 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 exchange INFO cookie: 40ddc79fba64eddc->0000000000000000 msgid: 2ffd6531 len: 56 4) Source IP 205.214.49.50 is NOT on our network and is not known to us as belonging to a client. 15:03:04.587449 205.214.49.50.50926 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 8a916c9d9d2a418d->0000000000000000 msgid: 00000000 len: 904 15:03:05.613654 205.214.49.50.50926 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 8a916c9d9d2a418d->0000000000000000 msgid: 00000000 len: 904 15:03:07.645706 205.214.49.50.50926 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 8a916c9d9d2a418d->0000000000000000 msgid: 00000000 len: 904 15:03:09.578398 205.214.49.50.50941 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 46b9c64ee477376a->0000000000000000 msgid: 00000000 len: 904 15:03:10.594456 205.214.49.50.50941 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 46b9c64ee477376a->0000000000000000 msgid: 00000000 len: 904 15:03:11.770808 205.214.49.50.50926 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 8a916c9d9d2a418d->0000000000000000 msgid: 00000000 len: 904 15:03:12.593077 205.214.49.50.50941 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 46b9c64ee477376a->0000000000000000 msgid: 00000000 len: 904 15:03:16.627072 205.214.49.50.50941 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 46b9c64ee477376a->0000000000000000 msgid: 00000000 len: 904 15:03:19.848476 205.214.49.50.50926 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 8a916c9d9d2a418d->0000000000000000 msgid: 00000000 len: 904 15:03:24.704365 205.214.49.50.50941 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 46b9c64ee477376a->0000000000000000 msgid: 00000000 len: 904 15:03:35.988910 205.214.49.50.51028 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 8a916c9d9d2a418d->0000000000000000 msgid: 00000000 len: 904 15:03:40.781393 205.214.49.50.51042 > 192.168.1.2.500: isakmp v1.0 exchange ID_PROT cookie: 46b9c64ee477376a->0000000000000000 msgid: 00000000 len: 904 15:04:08.311979 205.214.49.50.51125 > 192.168.1.2.500: isakmp v1.0 exchange INFO cookie: 8a916c9d9d2a418d->0000000000000000 msgid: 7860f712 len: 56 15:04:12.947695 205.214.49.50.51142 > 192.168.1.2.500: isakmp v1.0 exchange INFO cookie: 46b9c64ee477376a->0000000000000000 msgid: ad9ec40b len: 56 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Apr 04 2002 - 11:32:10 PST