Yup - ISAKMP (IKE)) is UDP 500. On a windows (win2k or XP) box, you can set the option in local or group policy to either do "normal" communication, attempt to secure communication or always use secure channel communication. It very well could be what you are seeing. Spence -----Original Message----- From: wirepair [mailto:wirepairat_private] Sent: Thursday, July 03, 2003 10:10 AM To: edmund.ronayne; incidents Subject: Re: UDP to port 500 Its most likely a windows box, for some stupid reason they send out ISAKMP packets first to try to negotiate a secure connection. Then they default back to normal communication. Least this has been my experience... -wire On 03 Jul 2003 14:07:04 +0100 Edmund Ronayne <edmund.ronayneat_private> wrote: >All, > > Is anybody seeing lots of UDP scans from 69.11.200.49 & >50. > > It started last night. If you try to connect to it on >port 80 it also >trys to sends a UDP packet back. > > The netblock seems to be owned by BHOSTED.NET. Had a >quick look their >website the contact us page redirects to https which >seems to be down at >the moment > > >Regards > >Ed > > > >----------------------------------------------------------------------- ----- >Attend the Black Hat Briefings & Training, July 28 - 31 >in Las Vegas, the >world's premier technical IT security event! 10 tracks, >15 training sessions, >1,800 delegates from 30 nations including all of the top >experts, from CSO's to >"underground" security specialists. See for yourself >what the buzz is about! >Early-bird registration ends July 3. This event will >sell out. www.blackhat.com >----------------------------------------------------------------------- ---- > _____________________________ For the best comics, toys, movies, and more, please visit <http://www.tfaw.com/?qt=wmf> ------------------------------------------------------------------------ ---- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ------------------------------------------------------------------------ ---- ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Jul 05 2003 - 10:24:38 PDT