udp 500 packets when users are web browsing
Chuck Anderson
cra at WPI.EDU
Thu Sep 3 14:14:24 UTC 2015
Sounds like Opportunistic Encryption.
https://en.wikipedia.org/wiki/Opportunistic_encryption#Windows_OS
On Thu, Sep 03, 2015 at 09:53:46AM -0400, Robert Webb wrote:
> There is no VPN in the picture here. These are straight workstations
> on the network that the packets are coming from.
>
> According to a pcaket capture in wireshark, these are isakmp packets
> reaching out to host names of web sites that are being browsed. So
> destinations are sites like twitter, facebook, amazon, cnn, etc..
>
> We have further discovered that they seem to be initiated from the
> Windows 7 svchost, but we have not been able to find documentation
> as to how or why this is ocurring.
>
> Robert
>
>
> On Thu, 3 Sep 2015 13:42:21 +0000
> "Bjoern A. Zeeb" <bzeeb-lists at lists.zabbadoz.net> wrote:
> >
> >>On 03 Sep 2015, at 13:35 , Robert Webb <rwebb at ropeguru.com> wrote:
> >>
> >>We are seeing udp 500 packets being dropped at our firewall from
> >>user's browsing sessions. These are users on a 2008 R2 AD setup
> >>with Windows 7.
> >>
> >>Source and destination ports are udp 500 and the the pattern of
> >>drops directly correlate to the web browsing activity. We have
> >>confirmed this with tcpdump of port 500 and a single host and
> >>watching the pattern of traffic as they browse. This also occurs
> >>no matter what browser is used.
> >>
> >>Can anyone shine some light on what may be using udp 500 when
> >>web browsing?
> >
> >The VPN using IPsec UDP-Encap connection that supposedly gets
> >through NAT? Have you checked the content with tcpdump? Do you
> >have fragments by any chance?
More information about the NANOG
mailing list