Security Incidents mailing list archives
Re: udp port 500 scans
From: TJ Jablonowski <t.jablonowski () MAIL-2-GO COM>
Date: Thu, 21 Dec 2000 17:10:13 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Another scenario is if you or the remote site are using W2K with IPSEC rules setup for 1. require secure communication 2. attempt secure communication A connection to any port configured with one of the two above rules you result in attempted key exchange and the hit in the logs. Even if you unknowly attempt to connect to the port with no intention of a secure connection it will still attempt the key exchange irregardless of the client OS. - ----- Original Message ----- From: "Greg Woods" <woods () UCAR EDU> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Thursday, December 21, 2000 12:34 Subject: Re: udp port 500 scans
Wed Dec 20 12:29:02 2000 x.x.x.x/500 -> y.y.y.y/500 udpPort 500 is used by IKE (Internet Key Exchange). This is typically used for IPSEC-based VPN software, such as Freeswan, PGPnet, and various vendors of in-a-box VPN solutions such as Cisco. (For anyone that doesn't know, VPN = Virtual Private Network, and refers to an encrypted tunnel between two hosts or sites over which IP applications can be run. SSH port forwarding is actually a form of VPN). IKE is used to set up the session keys.
- --TRIMMED-- -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOkJ/wm+7g8loOAk5EQKO4ACfdcwLfofQ2TlWtCx+LuO6w4mlFeQAn3xC otC+5/vAvVcUpHTsOEDxGg9G =esbH -----END PGP SIGNATURE-----
Current thread:
- udp port 500 scans Blake Frantz (Dec 21)
- Re: udp port 500 scans Jeff (Dec 21)
- Re: udp port 500 scans Greg Woods (Dec 21)
- Unknown web log entry - new FrontPage exploit? Michael Katz (Dec 21)
- Re: Unknown web log entry - new FrontPage exploit? TJ Jablonowski (Dec 22)
- Re: udp port 500 scans TJ Jablonowski (Dec 21)
- Unknown web log entry - new FrontPage exploit? Michael Katz (Dec 21)
- <Possible follow-ups>
- Re: udp port 500 scans Green, Art (MED) (Dec 21)