udp 500 packets when users are web browsing
Robert Webb
rwebb at ropeguru.com
Thu Sep 3 14:25:52 UTC 2015
Yes, we are looking at this now.
Thanks for everyone's help. I think we are heading in the right direction
tracking this down. This just showed up in our monitoring and makes sense as
we just brought up a new locked down domain.
Robert
On Thu, 3 Sep 2015 10:19:53 -0400
"Oliver O'Boyle" <oliver.oboyle at gmail.com> wrote:
> You can configure Windows to encrypt traffic based on protocol
>definitions.
> E.g., Use IPSEC to encrypt all traffic on port 80 between hosts X
>and hosts
> Y.
>
> It's possible that such a policy is in place locally on the
>workstations
> and/or servers and it's also possible that it's being enforced using
>GPOs.
>
> On Thu, Sep 3, 2015 at 9:53 AM, Robert Webb <rwebb at ropeguru.com>
>wrote:
>
>> There is no VPN in the picture here. These are straight workstations
>>on
>> the network that the packets are coming from.
>>
>> According to a pcaket capture in wireshark, these are isakmp packets
>> reaching out to host names of web sites that are being browsed. So
>> destinations are sites like twitter, facebook, amazon, cnn, etc..
>>
>> We have further discovered that they seem to be initiated from the
>>Windows
>> 7 svchost, but we have not been able to find documentation as to how
>>or why
>> this is ocurring.
>>
>> Robert
>>
>>
>> On Thu, 3 Sep 2015 13:42:21 +0000
>> "Bjoern A. Zeeb" <bzeeb-lists at lists.zabbadoz.net> wrote:
>>
>>>
>>> On 03 Sep 2015, at 13:35 , Robert Webb <rwebb at ropeguru.com> wrote:
>>>>
>>>> We are seeing udp 500 packets being dropped at our firewall from
>>>>user's
>>>> browsing sessions. These are users on a 2008 R2 AD setup with
>>>>Windows 7.
>>>>
>>>> Source and destination ports are udp 500 and the the pattern of
>>>>drops
>>>> directly correlate to the web browsing activity. We have confirmed
>>>>this
>>>> with tcpdump of port 500 and a single host and watching the pattern
>>>>of
>>>> traffic as they browse. This also occurs no matter what browser is
>>>>used.
>>>>
>>>> Can anyone shine some light on what may be using udp 500 when web
>>>> browsing?
>>>>
>>>
>>> The VPN using IPsec UDP-Encap connection that supposedly gets
>>>through
>>> NAT? Have you checked the content with tcpdump? Do you have
>>>fragments
>>> by any chance?
>>>
>>>
> --
> :o@>
More information about the NANOG
mailing list