Security Incidents: RE: VPN connection attempts to resolvers?

From: Coochey, Giles <g.coochey_at_btinternet.com>
Date: Thu, 4 Apr 2002 09:09:46 +0100

This is most likely innocent activity - probably a VPN client configured
somewhere with a mistyped peer IP address. Was the SYN flood you detected
from the same machine?

ISAKMP is usually the initial part of an IPsec authentication routine.

Thanks

Giles

> -----Original Message-----
> From: Mike Lewinski [mailto:mike_at_rockynet.com]
> Sent: 03 April 2002 23:41
> To: incidents_at_securityfocus.com
> Subject: VPN connection attempts to resolvers?
>
>
> We've observed what appear to be attempts to establish a VPN connection to
> our caching-only resolvers. I have commented each of the packet
> dumps below.
> None of our nameservers provide any VPN services, and never have.
>
> Since I am not a VPN expert, I'm wondering if anyone else can shed some
> light on what might be going on here. Is this just a brain-dead VPN client
> that's making bad assumptions about it's resolvers? Or is there something
> more malicious going on? The traffic was picked up after a SYN
> flood to one
> of the DNS servers led to further investigation.
>
>
> 1) Source address belongs to University of Kentucky, and is most
> definitely
> NOT on our network. It made just this single attempt at one of
> our NS whose
> IP is munged as 192.168.1.2
>
> 10:16:06.861543 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0
> exchange ID_PROT
> cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid:
> 00000000 len: 824
>
> 10:16:07.880193 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0
> exchange ID_PROT
> cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid:
> 00000000 len: 824
>
> 10:16:09.924159 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0
> exchange ID_PROT
> cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid:
> 00000000 len: 824
>
> 10:16:14.017524 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0
> exchange ID_PROT
> cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid:
> 00000000 len: 824
>
> 10:16:22.237762 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0
> exchange ID_PROT
> cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid:
> 00000000 len: 824
>
> 10:16:38.849207 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0
> exchange ID_PROT
> cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid:
> 00000000 len: 824
>
> 10:17:11.801050 128.163.130.31.500 > 192.168.1.2.500: isakmp v1.0
> exchange INFO
> cookie: 7e9fb9ad0f6a156d->0000000000000000 msgid: 61f8b42c len: 56
>
>
> 2) Source address (munged as 10.10.10.2) is a client on our network, who
> would have the 192.168.1.2 in their resolver list (yes, we're trying to
> contact this owner to get more information).
>
> 12:44:33.013871 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 exchange
> ID_PROT
> cookie: 42d1fd3af522ccac->0000000000000000 msgid:
> 00000000 len: 584
> 12:44:34.013281 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 exchange
> ID_PROT
> cookie: 42d1fd3af522ccac->0000000000000000 msgid:
> 00000000 len: 584
> 12:44:36.029620 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 exchange
> ID_PROT
> cookie: 42d1fd3af522ccac->0000000000000000 msgid:
> 00000000 len: 584
> 12:44:40.045468 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 exchange
> ID_PROT
> cookie: 42d1fd3af522ccac->0000000000000000 msgid:
> 00000000 len: 584
> 12:44:48.080488 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 exchange
> ID_PROT
> cookie: 42d1fd3af522ccac->0000000000000000 msgid:
> 00000000 len: 584
> 12:45:04.108008 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0 exchange
> ID_PROT
> cookie: 42d1fd3af522ccac->0000000000000000 msgid:
> 00000000 len: 584
> 12:45:36.139212 10.10.10.2.500 > 192.168.1.2.500: isakmp v1.0
> exchange INFO
> cookie: 42d1fd3af522ccac->0000000000000000 msgid: 0ca4d811 len: 56
>
> 3) Same source address as #2 above to the other resolver here.
>
> 12:44:31.994895 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 exchange
> ID_PROT
> cookie: 40ddc79fba64eddc->0000000000000000 msgid:
> 00000000 len: 584
> 12:44:32.985435 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 exchange
> ID_PROT
> cookie: 40ddc79fba64eddc->0000000000000000 msgid:
> 00000000 len: 584
> 12:44:34.987583 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 exchange
> ID_PROT
> cookie: 40ddc79fba64eddc->0000000000000000 msgid:
> 00000000 len: 584
> 12:44:39.003313 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 exchange
> ID_PROT
> cookie: 40ddc79fba64eddc->0000000000000000 msgid:
> 00000000 len: 584
> 12:44:47.032735 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 exchange
> ID_PROT
> cookie: 40ddc79fba64eddc->0000000000000000 msgid:
> 00000000 len: 584
> 12:45:03.065870 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0 exchange
> ID_PROT
> cookie: 40ddc79fba64eddc->0000000000000000 msgid:
> 00000000 len: 584
> 12:45:35.093469 10.10.10.2.500 > 192.168.1.3.500: isakmp v1.0
> exchange INFO
> cookie: 40ddc79fba64eddc->0000000000000000 msgid: 2ffd6531 len: 56
>
> 4) Source IP 205.214.49.50 is NOT on our network and is not known to us as
> belonging to a client.
>
> 15:03:04.587449 205.214.49.50.50926 > 192.168.1.2.500: isakmp
> v1.0 exchange
> ID_PROT
> cookie: 8a916c9d9d2a418d->0000000000000000 msgid:
> 00000000 len: 904
> 15:03:05.613654 205.214.49.50.50926 > 192.168.1.2.500: isakmp
> v1.0 exchange
> ID_PROT
> cookie: 8a916c9d9d2a418d->0000000000000000 msgid:
> 00000000 len: 904
> 15:03:07.645706 205.214.49.50.50926 > 192.168.1.2.500: isakmp
> v1.0 exchange
> ID_PROT
> cookie: 8a916c9d9d2a418d->0000000000000000 msgid:
> 00000000 len: 904
> 15:03:09.578398 205.214.49.50.50941 > 192.168.1.2.500: isakmp
> v1.0 exchange
> ID_PROT
> cookie: 46b9c64ee477376a->0000000000000000 msgid:
> 00000000 len: 904
> 15:03:10.594456 205.214.49.50.50941 > 192.168.1.2.500: isakmp
> v1.0 exchange
> ID_PROT
> cookie: 46b9c64ee477376a->0000000000000000 msgid:
> 00000000 len: 904
> 15:03:11.770808 205.214.49.50.50926 > 192.168.1.2.500: isakmp
> v1.0 exchange
> ID_PROT
> cookie: 8a916c9d9d2a418d->0000000000000000 msgid:
> 00000000 len: 904
> 15:03:12.593077 205.214.49.50.50941 > 192.168.1.2.500: isakmp
> v1.0 exchange
> ID_PROT
> cookie: 46b9c64ee477376a->0000000000000000 msgid:
> 00000000 len: 904
> 15:03:16.627072 205.214.49.50.50941 > 192.168.1.2.500: isakmp
> v1.0 exchange
> ID_PROT
> cookie: 46b9c64ee477376a->0000000000000000 msgid:
> 00000000 len: 904
> 15:03:19.848476 205.214.49.50.50926 > 192.168.1.2.500: isakmp
> v1.0 exchange
> ID_PROT
> cookie: 8a916c9d9d2a418d->0000000000000000 msgid:
> 00000000 len: 904
> 15:03:24.704365 205.214.49.50.50941 > 192.168.1.2.500: isakmp
> v1.0 exchange
> ID_PROT
> cookie: 46b9c64ee477376a->0000000000000000 msgid:
> 00000000 len: 904
> 15:03:35.988910 205.214.49.50.51028 > 192.168.1.2.500: isakmp
> v1.0 exchange
> ID_PROT
> cookie: 8a916c9d9d2a418d->0000000000000000 msgid:
> 00000000 len: 904
> 15:03:40.781393 205.214.49.50.51042 > 192.168.1.2.500: isakmp
> v1.0 exchange
> ID_PROT
> cookie: 46b9c64ee477376a->0000000000000000 msgid:
> 00000000 len: 904
> 15:04:08.311979 205.214.49.50.51125 > 192.168.1.2.500: isakmp
> v1.0 exchange
> INFO
> cookie: 8a916c9d9d2a418d->0000000000000000 msgid: 7860f712 len: 56
> 15:04:12.947695 205.214.49.50.51142 > 192.168.1.2.500: isakmp
> v1.0 exchange
> INFO
> cookie: 46b9c64ee477376a->0000000000000000 msgid: ad9ec40b len: 56
>
>
>
> ------------------------------------------------------------------
> ----------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Received on Apr 04 2002