<div dir="ltr"><div dir="ltr"><br></div><div>In this case, however, what's being seen is simply valid traffic </div><div>which was most likely erroneously redirected through an </div><div>internal encryption device.</div><div><br></div><div>I would hazard a guess the folks involved have already jumped </div><div>on checking the redirector rules to fix the leakage which allowed </div><div>external IPs to be passed through the internal encryption pathway.</div><div><br></div><div>I helped build the system that's causing those messages, so I have </div><div>a bit of a guess as to what the issue is. I'm no longer an employee,</div><div>however, so I can't fix the issue. But in this case, those boxes really </div><div>aren't trying to attack you--they just aren't supposed to be sending </div><div>traffic externally like that. </div><div><br></div><div>So, it actually is good to speak up about this traffic--because it's a fixable </div><div>issue, and one that should be addressed at the source.</div><div><br></div><div>Thanks!</div><div><br></div><div>Matt</div><div>#notspeakingofficiallyforanyoneoranything</div><div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Dec 18, 2020 at 9:05 PM Dobbins, Roland <<a href="mailto:Roland.Dobbins@netscout.com">Roland.Dobbins@netscout.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div dir="auto">
<div dir="ltr"><br>
</div>
<div dir="ltr"><br>
<blockquote type="cite">On Dec 19, 2020, at 01:19, Frank Bulk <<a href="mailto:frnkblk@iname.com" target="_blank">frnkblk@iname.com</a>> wrote:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr"><span>Curious if someone can point me in the right direction. In the last three</span><br>
<span>days our core router (Cisco 7609) has logged the following events:</span><br>
<span></span><br>
<span>Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC</span><br>
<span>packet has invalid spi for destaddr=<redacted>, prot=50,</span><br>
<span>spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20</span><br>
</div>
</blockquote>
<br>
<div>It should be noted that attackers will sometimes generate non-TCP/-UDP/-ICMP DDoS attack traffic which is intended to bypass ACLs, firewall rules, etc. which only take the more common protocols into account. They'll often pick ESP (protocol 50, AH (protocol
51), or GRE (protocol 47) in order to try & masquerade the attack traffic as legitimate VPN or tunneled traffic.</div>
<div><br>
</div>
<div>And the source IPs of this attack traffic are frequently spoofed, as well. </div>
<div><br>
</div>
<div>
<p style="margin:0px;font-stretch:normal;font-size:17.4px;line-height:normal;color:rgb(69,69,69)">
<span style="font-size:17.41pt">--------------------------------------------</span></p>
<p style="margin:0px;font-stretch:normal;font-size:17.4px;line-height:normal;color:rgb(69,69,69)">
<span style="font-size:17.41pt">Roland Dobbins <<a href="mailto:roland.dobbins@netscout.com" target="_blank">roland.dobbins@netscout.com</a>></span></p>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</blockquote></div></div>