[183471] in North American Network Operators' Group
Re: udp 500 packets when users are web browsing
daemon@ATHENA.MIT.EDU (Chuck Anderson)
Thu Sep 3 10:14:29 2015
X-Original-To: nanog@nanog.org
Date: Thu, 3 Sep 2015 10:14:24 -0400
From: Chuck Anderson <cra@WPI.EDU>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <ximss-521105@mail.ropeguru.com>
Errors-To: nanog-bounces@nanog.org
Sounds like Opportunistic Encryption.
https://en.wikipedia.org/wiki/Opportunistic_encryption#Windows_OS
On Thu, Sep 03, 2015 at 09:53:46AM -0400, Robert Webb wrote:
> There is no VPN in the picture here. These are straight workstations
> on the network that the packets are coming from.
>
> According to a pcaket capture in wireshark, these are isakmp packets
> reaching out to host names of web sites that are being browsed. So
> destinations are sites like twitter, facebook, amazon, cnn, etc..
>
> We have further discovered that they seem to be initiated from the
> Windows 7 svchost, but we have not been able to find documentation
> as to how or why this is ocurring.
>
> Robert
>
>
> On Thu, 3 Sep 2015 13:42:21 +0000
> "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> wrote:
> >
> >>On 03 Sep 2015, at 13:35 , Robert Webb <rwebb@ropeguru.com> wrote:
> >>
> >>We are seeing udp 500 packets being dropped at our firewall from
> >>user's browsing sessions. These are users on a 2008 R2 AD setup
> >>with Windows 7.
> >>
> >>Source and destination ports are udp 500 and the the pattern of
> >>drops directly correlate to the web browsing activity. We have
> >>confirmed this with tcpdump of port 500 and a single host and
> >>watching the pattern of traffic as they browse. This also occurs
> >>no matter what browser is used.
> >>
> >>Can anyone shine some light on what may be using udp 500 when
> >>web browsing?
> >
> >The VPN using IPsec UDP-Encap connection that supposedly gets
> >through NAT? Have you checked the content with tcpdump? Do you
> >have fragments by any chance?
