udp 500 packets when users are web browsing

• Previous message (by thread): udp 500 packets when users are web browsing
• Next message (by thread): udp 500 packets when users are web browsing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yes, we are looking at this now.

Thanks for everyone's help. I think we are heading in the right direction 
tracking this down. This just showed up in our monitoring and makes sense as 
we just brought up a new locked down domain.

Robert


On Thu, 3 Sep 2015 10:19:53 -0400
  "Oliver O'Boyle" <oliver.oboyle at gmail.com> wrote:
> You can configure Windows to encrypt traffic based on protocol 
>definitions.
> E.g., Use IPSEC to encrypt all traffic on port 80 between hosts X 
>and hosts
> Y.
> 
> It's possible that such a policy is in place locally on the 
>workstations
> and/or servers and it's also possible that it's being enforced using 
>GPOs.
> 
> On Thu, Sep 3, 2015 at 9:53 AM, Robert Webb <rwebb at ropeguru.com> 
>wrote:
> 
>> There is no VPN in the picture here. These are straight workstations 
>>on
>> the network that the packets are coming from.
>>
>> According to a pcaket capture in wireshark, these are isakmp packets
>> reaching out to host names of web sites that are being browsed. So
>> destinations are sites like twitter, facebook, amazon, cnn, etc..
>>
>> We have further discovered that they seem to be initiated from the 
>>Windows
>> 7 svchost, but we have not been able to find documentation as to how 
>>or why
>> this is ocurring.
>>
>> Robert
>>
>>
>> On Thu, 3 Sep 2015 13:42:21 +0000
>>  "Bjoern A. Zeeb" <bzeeb-lists at lists.zabbadoz.net> wrote:
>>
>>>
>>> On 03 Sep 2015, at 13:35 , Robert Webb <rwebb at ropeguru.com> wrote:
>>>>
>>>> We are seeing udp 500 packets being dropped at our firewall from 
>>>>user's
>>>> browsing sessions. These are users on a 2008 R2 AD setup with 
>>>>Windows 7.
>>>>
>>>> Source and destination ports are udp 500 and the the pattern of 
>>>>drops
>>>> directly correlate to the web browsing activity. We have confirmed 
>>>>this
>>>> with tcpdump of port 500 and a single host and watching the pattern 
>>>>of
>>>> traffic as they browse. This also occurs no matter what browser is 
>>>>used.
>>>>
>>>> Can anyone shine some light on what may be using udp 500 when web
>>>> browsing?
>>>>
>>>
>>> The VPN using IPsec UDP-Encap connection that supposedly gets 
>>>through
>>> NAT?   Have you checked the content with tcpdump?   Do you have 
>>>fragments
>>> by any chance?
>>>
>>>
> -- 
> :o@>

• Previous message (by thread): udp 500 packets when users are web browsing
• Next message (by thread): udp 500 packets when users are web browsing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]