udp 500 packets when users are web browsing
Oliver O'Boyle
oliver.oboyle at gmail.com
Thu Sep 3 14:20:50 UTC 2015
Precisely.
On Thu, Sep 3, 2015 at 10:14 AM, Chuck Anderson <cra at wpi.edu> wrote:
> Sounds like Opportunistic Encryption.
>
> https://en.wikipedia.org/wiki/Opportunistic_encryption#Windows_OS
>
> On Thu, Sep 03, 2015 at 09:53:46AM -0400, Robert Webb wrote:
> > There is no VPN in the picture here. These are straight workstations
> > on the network that the packets are coming from.
> >
> > According to a pcaket capture in wireshark, these are isakmp packets
> > reaching out to host names of web sites that are being browsed. So
> > destinations are sites like twitter, facebook, amazon, cnn, etc..
> >
> > We have further discovered that they seem to be initiated from the
> > Windows 7 svchost, but we have not been able to find documentation
> > as to how or why this is ocurring.
> >
> > Robert
> >
> >
> > On Thu, 3 Sep 2015 13:42:21 +0000
> > "Bjoern A. Zeeb" <bzeeb-lists at lists.zabbadoz.net> wrote:
> > >
> > >>On 03 Sep 2015, at 13:35 , Robert Webb <rwebb at ropeguru.com> wrote:
> > >>
> > >>We are seeing udp 500 packets being dropped at our firewall from
> > >>user's browsing sessions. These are users on a 2008 R2 AD setup
> > >>with Windows 7.
> > >>
> > >>Source and destination ports are udp 500 and the the pattern of
> > >>drops directly correlate to the web browsing activity. We have
> > >>confirmed this with tcpdump of port 500 and a single host and
> > >>watching the pattern of traffic as they browse. This also occurs
> > >>no matter what browser is used.
> > >>
> > >>Can anyone shine some light on what may be using udp 500 when
> > >>web browsing?
> > >
> > >The VPN using IPsec UDP-Encap connection that supposedly gets
> > >through NAT? Have you checked the content with tcpdump? Do you
> > >have fragments by any chance?
>
--
:o@>
More information about the NANOG
mailing list