UDP port 500 traffic from two clients
From: Chris Wilkes (cwilkes@ladro.com)Date: 01/28/02
- Previous message: Blake R. Swopes: "Lots of scans by SSH-1.0-SSH_Version_Mapper"
- Next in thread: Glen Mehn: "Re: UDP port 500 traffic from two clients"
- Reply: Glen Mehn: "Re: UDP port 500 traffic from two clients"
- Reply: McCammon, Keith: "RE: UDP port 500 traffic from two clients"
- Reply: Gary Flynn: "Re: UDP port 500 traffic from two clients"
- Reply: Toni Heinonen: "RE: UDP port 500 traffic from two clients"
- Reply: Greg A. Woods: "RE: UDP port 500 traffic from two clients"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Jan 2002 08:27:19 -0800 From: Chris Wilkes <cwilkes@ladro.com> To: incidents@securityfocus.com
I recently moved and changed IP addresses within my ISP's block and two
IP addresses from mediaone.net and home.com hit me a couple of times a
minute with a UDP request to port 500.
Looking around on the net it appears this could be a machine trying to
VPN into mine. Since this is the first time these addresses have shown
up and they are just coming to and from port 500 I think their machines
mine be misconfigured or there is a DNS entry out there that says my
machine is the one that they want to get to.
What's the best way to stop this? I sent an email off to the abuse
address at the two ISPs (I'm sure that will go straight to /dev/null as
they are really large) asking them to investigate, but is there anything
else I should do?
I setup a UDP server to capture the data that they are sending and the
results of the two are at http://ladro.com/udp500.txt . They kept on
repeating the same 219 bytes over and over. The pattern has since
changed, but it looks like it is staying the same.
Right now I'm sending back a UDP packet of "Go away" but I'm wondering
if there is something else I can do. Is there some IKE message that
tells them to give up or one that will send a message to their screen?
Feel free to email me for more details.
Chris
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Blake R. Swopes: "Lots of scans by SSH-1.0-SSH_Version_Mapper"
- Next in thread: Glen Mehn: "Re: UDP port 500 traffic from two clients"
- Reply: Glen Mehn: "Re: UDP port 500 traffic from two clients"
- Reply: McCammon, Keith: "RE: UDP port 500 traffic from two clients"
- Reply: Gary Flynn: "Re: UDP port 500 traffic from two clients"
- Reply: Toni Heinonen: "RE: UDP port 500 traffic from two clients"
- Reply: Greg A. Woods: "RE: UDP port 500 traffic from two clients"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
