Re: UDP port 500 traffic from two clients
From: Glen Mehn (glen@squaretrade.com)Date: 01/28/02
- Previous message: Patrick Oonk: "Re: DDoS attack."
- In reply to: Chris Wilkes: "UDP port 500 traffic from two clients"
- Next in thread: McCammon, Keith: "RE: UDP port 500 traffic from two clients"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Jan 2002 10:27:01 -0800 To: Chris Wilkes <cwilkes@ladro.com> From: Glen Mehn <glen@squaretrade.com>
you could always add a line to blacklist them in your /etc/hosts.deny file.
On Mon, Jan 28, 2002 at 08:27:19AM -0800, Chris Wilkes wrote:
> I recently moved and changed IP addresses within my ISP's block and two
> IP addresses from mediaone.net and home.com hit me a couple of times a
> minute with a UDP request to port 500.
>
> Looking around on the net it appears this could be a machine trying to
> VPN into mine. Since this is the first time these addresses have shown
> up and they are just coming to and from port 500 I think their machines
> mine be misconfigured or there is a DNS entry out there that says my
> machine is the one that they want to get to.
>
> What's the best way to stop this? I sent an email off to the abuse
> address at the two ISPs (I'm sure that will go straight to /dev/null as
> they are really large) asking them to investigate, but is there anything
> else I should do?
>
> I setup a UDP server to capture the data that they are sending and the
> results of the two are at http://ladro.com/udp500.txt . They kept on
> repeating the same 219 bytes over and over. The pattern has since
> changed, but it looks like it is staying the same.
>
> Right now I'm sending back a UDP packet of "Go away" but I'm wondering
> if there is something else I can do. Is there some IKE message that
> tells them to give up or one that will send a message to their screen?
>
> Feel free to email me for more details.
>
> Chris
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
-- Glen S Mehn Lead Systems Administrator SquareTrade, Inc glen@squaretrade.com Building Trust in Transactions (sm)---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Patrick Oonk: "Re: DDoS attack."
- In reply to: Chris Wilkes: "UDP port 500 traffic from two clients"
- Next in thread: McCammon, Keith: "RE: UDP port 500 traffic from two clients"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
