Strange IPSEC traffic
Tom Beecher
beecher at beecher.cc
Tue Nov 14 17:55:08 UTC 2023
>
> Last week somebody on the internet started a campaign to scan and perhaps
> to exploit some zero day ipsec vulnerabilities.
>
I've seen traffic like this for the better part of at least the last 7
years, fairly consistently.
It's definitely not something new.
On Mon, Nov 13, 2023 at 12:42 PM Adrian Minta <adrian.minta at gmail.com>
wrote:
> On 11/13/23 19:10, Shawn L via NANOG wrote:
>
> Is anyone else seeing a lot of 'strange' IPSEC traffic? We started seeing
> logs of IPSEC with invalid spi on Friday. We're seeing it on pretty much
> all of our PE routers, none of which are setup to do anything VPN related.
> Most are just routing local customer traffic.
>
>
>
> decaps: rec'd IPSEC packet has invalid spi for destaddr=X.X.X.X, prot=50,
> spi=0x9D2D0000(2636972032), srcaddr=211.112.195.167, input
> interface=TenGigabitEthernet0/0/11
>
>
>
> decaps: rec'd IPSEC packet has invalid spi for destaddr=Y.Y.Y.Y, prot=50,
> spi=0x14690000(342425600), srcaddr=74.116.56.244, input
> interface=TenGigabitEthernet0/0/5
>
>
>
> The destination address is always one of our customer's ip addresses. The
> source seems to be all over the place, mostly Russia, Korea, China or south
> east asia. It's not really impacting anything at the moment, just rather
> annoying.
>
>
>
> Thanks
>
>
>
> Shawn
>
>
> Hi Shawn,
>
> we saw a lot of syslog messages like these and the targets are cisco
> devices, some of witch, according to the data sheets, are not even capable
> of ipsec.
>
> Cisco is punting some ESP traffic to control plane on ios and ios-xe
> devices, regardless of the configuration.
>
> Last week somebody on the internet started a campaign to scan and perhaps
> to exploit some zero day ipsec vulnerabilities.
>
>
> This is the list of ip addresses we saw: https://pastebin.com/vrLRai9Q
>
>
>
> --
> Best regards,
> Adrian Minta
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20231114/fbcb09a3/attachment.html>
More information about the NANOG
mailing list