* Shawn L [Mon 13 Nov 2023, 18:12 CET]:
Is anyone else seeing a lot of 'strange' IPSEC traffic?
This mail server running FreeBSD did: (timestamps in CET, UTC+1)
Nov 10 00:58:55 mailserver kernel: ipsec_common_input: no key association found
for SA 77.174.253.13/77b4/50
Nov 10 01:26:09
023 at 12:42 PM Adrian Minta
wrote:
> On 11/13/23 19:10, Shawn L via NANOG wrote:
>
> Is anyone else seeing a lot of 'strange' IPSEC traffic? We started seeing
> logs of IPSEC with invalid spi on Friday. We're seeing it on pretty much
> all of our PE routers, none of which are setup
On Nov 14, 2023, at 00:12, Shawn L via NANOG wrote:
The destination address is always one of our customer's ip addresses.
Attackers will sometimes use synthetic ESP, AH, GRE, or other protocols in DDoS
attacks, because organizations often only think about TCP/UDP/ICMP in terms of
ACLs, DDoS
- On Nov 13, 2023, at 9:43 AM, Maurice Brown maur...@pwnship.com wrote:
Hi,
> A new attack was published against SSH and the paper authors are theorizing
> that
> the attack is possible against IPSEC due to flaws in the CPU that are
> exploitable via brute force.
For those interested, here
Is anyone else seeing a lot of 'strange' IPSEC traffic? We started seeing
> logs of IPSEC with invalid spi on Friday. We're seeing it on pretty much
> all of our PE routers, none of which are setup to do anything VPN related.
> Most are just routing local customer traffic.
>
>
>
&
I can confirm we started seeing this on Nov 9th at 19:10 UTC across all markets
from a variety of sources.
If you want to filter it with ingress ACLs they need to include subnet base and
broadcast addresses in addition to interface address, so a router at
192.168.1.1/30 with a customer
On 11/13/23 19:10, Shawn L via NANOG wrote:
Is anyone else seeing a lot of 'strange' IPSEC traffic? We started
seeing logs of IPSEC with invalid spi on Friday. We're seeing it on
pretty much all of our PE routers, none of which are setup to do
anything VPN related. Most are just routing
Is anyone else seeing a lot of 'strange' IPSEC traffic? We started seeing logs
of IPSEC with invalid spi on Friday. We're seeing it on pretty much all of our
PE routers, none of which are setup to do anything VPN related. Most are just
routing local customer traffic.
decaps: rec'd IPSEC
8 matches
Mail list logo
