RE: UDP to port 500

From: Charles.Faschingat_private
Date: Thu Jul 03 2003 - 15:36:17 PDT

Next message: Andrew Simmons: "Re: Another overflow exploit for Apache? *RESOLVED*"

Previous message: trihuynhat_private: "RE: Another overflow exploit for Apache? *RESOLVED*"
Maybe in reply to: Edmund Ronayne: "UDP to port 500"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yup - ISAKMP (IKE)) is UDP 500.  On a windows (win2k or XP) box, you can 
set the option in local or group policy to either do "normal" 
communication, attempt to secure communication or always use secure 
channel communication.  It very well could be what you are seeing.

Spence

-----Original Message-----
From: wirepair [mailto:wirepairat_private] 
Sent: Thursday, July 03, 2003 10:10 AM
To: edmund.ronayne; incidents
Subject: Re: UDP to port 500


Its most likely a windows box, for some stupid reason they 
send out ISAKMP packets first to try to negotiate a secure 
connection. Then they default back to normal 
communication.
Least this has been my experience...
-wire
On 03 Jul 2003 14:07:04 +0100
  Edmund Ronayne <edmund.ronayneat_private> wrote:
>All,
>
>	Is anybody seeing lots of UDP scans from 69.11.200.49 & 
>50.
>
>	It started last night. If you try to connect to it on 
>port 80 it also
>trys to sends a UDP packet back.
>
>	The netblock seems to be owned by BHOSTED.NET. Had a 
>quick look their
>website the contact us page redirects to https which 
>seems to be down at
>the moment
>
>
>Regards
>
>Ed
>
>
>
>-----------------------------------------------------------------------
-----
>Attend the Black Hat Briefings & Training, July 28 - 31 
>in Las Vegas, the 
>world's premier technical IT security event! 10 tracks, 
>15 training sessions, 
>1,800 delegates from 30 nations including all of the top 
>experts, from CSO's to 
>"underground" security specialists.  See for yourself 
>what the buzz is about!  
>Early-bird registration ends July 3.  This event will 
>sell out. www.blackhat.com
>-----------------------------------------------------------------------
----
>

_____________________________
For the best comics, toys, movies, and more,
please visit <http://www.tfaw.com/?qt=wmf>


------------------------------------------------------------------------
----
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, 
the 
world's premier technical IT security event! 10 tracks, 15 training 
sessions, 
1,800 delegates from 30 nations including all of the top experts, from 
CSO's to 
"underground" security specialists.  See for yourself what the buzz is 
about!  
Early-bird registration ends July 3.  This event will sell out. 
www.blackhat.com
------------------------------------------------------------------------
----



----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Andrew Simmons: "Re: Another overflow exploit for Apache? *RESOLVED*"
Previous message: trihuynhat_private: "RE: Another overflow exploit for Apache? *RESOLVED*"
Maybe in reply to: Edmund Ronayne: "UDP to port 500"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jul 05 2003 - 10:24:38 PDT