udp 500 packets when users are web browsing

• Previous message (by thread): udp 500 packets when users are web browsing
• Next message (by thread): Whois.net down?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

That would do it. Almost certainly enforced by GPO in that case so at least
it's easy to change if you need to.

On Thu, Sep 3, 2015 at 10:25 AM, Robert Webb <rwebb at ropeguru.com> wrote:

> Yes, we are looking at this now.
>
> Thanks for everyone's help. I think we are heading in the right direction
> tracking this down. This just showed up in our monitoring and makes sense
> as we just brought up a new locked down domain.
>
> Robert
>
>
>
> On Thu, 3 Sep 2015 10:19:53 -0400
>  "Oliver O'Boyle" <oliver.oboyle at gmail.com> wrote:
>
>> You can configure Windows to encrypt traffic based on protocol
>> definitions.
>> E.g., Use IPSEC to encrypt all traffic on port 80 between hosts X and
>> hosts
>> Y.
>>
>> It's possible that such a policy is in place locally on the workstations
>> and/or servers and it's also possible that it's being enforced using GPOs.
>>
>> On Thu, Sep 3, 2015 at 9:53 AM, Robert Webb <rwebb at ropeguru.com> wrote:
>>
>> There is no VPN in the picture here. These are straight workstations on
>>> the network that the packets are coming from.
>>>
>>> According to a pcaket capture in wireshark, these are isakmp packets
>>> reaching out to host names of web sites that are being browsed. So
>>> destinations are sites like twitter, facebook, amazon, cnn, etc..
>>>
>>> We have further discovered that they seem to be initiated from the
>>> Windows
>>> 7 svchost, but we have not been able to find documentation as to how or
>>> why
>>> this is ocurring.
>>>
>>> Robert
>>>
>>>
>>> On Thu, 3 Sep 2015 13:42:21 +0000
>>>  "Bjoern A. Zeeb" <bzeeb-lists at lists.zabbadoz.net> wrote:
>>>
>>>
>>>> On 03 Sep 2015, at 13:35 , Robert Webb <rwebb at ropeguru.com> wrote:
>>>>
>>>>>
>>>>> We are seeing udp 500 packets being dropped at our firewall from user's
>>>>> browsing sessions. These are users on a 2008 R2 AD setup with Windows
>>>>> 7.
>>>>>
>>>>> Source and destination ports are udp 500 and the the pattern of drops
>>>>> directly correlate to the web browsing activity. We have confirmed this
>>>>> with tcpdump of port 500 and a single host and watching the pattern of
>>>>> traffic as they browse. This also occurs no matter what browser is
>>>>> used.
>>>>>
>>>>> Can anyone shine some light on what may be using udp 500 when web
>>>>> browsing?
>>>>>
>>>>>
>>>> The VPN using IPsec UDP-Encap connection that supposedly gets through
>>>> NAT?   Have you checked the content with tcpdump?   Do you have
>>>> fragments
>>>> by any chance?
>>>>
>>>>
>>>> --
>> :o@>
>>
>
>
>


-- 
:o@>

• Previous message (by thread): udp 500 packets when users are web browsing
• Next message (by thread): Whois.net down?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]