Re: udp port 500 scans

[TJ Jablonowski <t.jablonowski () MAIL-2-GO COM>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Another scenario is if you or the remote site are using W2K with
IPSEC rules setup for
1. require secure communication
2. attempt secure communication

  A connection to any port configured with one of the two above rules
you result in attempted  key exchange and the hit in the logs. Even
if you unknowly attempt to connect to the port with no intention of a
secure connection it will still attempt the key exchange irregardless
of the client OS.



- ----- Original Message -----
From: "Greg Woods" <woods () UCAR EDU>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Thursday, December 21, 2000 12:34
Subject: Re: udp port 500 scans


> > Wed Dec 20 12:29:02 2000 x.x.x.x/500 -> y.y.y.y/500 udp
>
> Port 500 is used by IKE (Internet Key Exchange). This is typically
> used for IPSEC-based VPN software, such as Freeswan, PGPnet, and
> various vendors of in-a-box VPN solutions such as Cisco.  (For
> anyone that doesn't know, VPN = Virtual Private Network, and refers
> to an encrypted tunnel between two hosts or sites over which IP
> applications can be run. SSH port forwarding is actually a form of
> VPN). IKE is used to set up the session keys.
- --TRIMMED--

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOkJ/wm+7g8loOAk5EQKO4ACfdcwLfofQ2TlWtCx+LuO6w4mlFeQAn3xC
otC+5/vAvVcUpHTsOEDxGg9G
=esbH
-----END PGP SIGNATURE-----