[183474] in North American Network Operators' Group
Re: udp 500 packets when users are web browsing
daemon@ATHENA.MIT.EDU (Robert Webb)
Thu Sep 3 10:26:30 2015
X-Original-To: nanog@nanog.org
From: "Robert Webb" <rwebb@ropeguru.com>
In-Reply-To: <CAMOPTEwXWbcZSeGvhUJKO0cU--rKtih=-ncqrd7Z-2gLaa9e5w@mail.gmail.com>
To: "Oliver O'Boyle" <oliver.oboyle@gmail.com>
Date: Thu, 03 Sep 2015 10:25:52 -0400
Cc: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>,
"nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Yes, we are looking at this now.
Thanks for everyone's help. I think we are heading in the right direction
tracking this down. This just showed up in our monitoring and makes sense as
we just brought up a new locked down domain.
Robert
On Thu, 3 Sep 2015 10:19:53 -0400
"Oliver O'Boyle" <oliver.oboyle@gmail.com> wrote:
> You can configure Windows to encrypt traffic based on protocol
>definitions.
> E.g., Use IPSEC to encrypt all traffic on port 80 between hosts X
>and hosts
> Y.
>
> It's possible that such a policy is in place locally on the
>workstations
> and/or servers and it's also possible that it's being enforced using
>GPOs.
>
> On Thu, Sep 3, 2015 at 9:53 AM, Robert Webb <rwebb@ropeguru.com>
>wrote:
>
>> There is no VPN in the picture here. These are straight workstations
>>on
>> the network that the packets are coming from.
>>
>> According to a pcaket capture in wireshark, these are isakmp packets
>> reaching out to host names of web sites that are being browsed. So
>> destinations are sites like twitter, facebook, amazon, cnn, etc..
>>
>> We have further discovered that they seem to be initiated from the
>>Windows
>> 7 svchost, but we have not been able to find documentation as to how
>>or why
>> this is ocurring.
>>
>> Robert
>>
>>
>> On Thu, 3 Sep 2015 13:42:21 +0000
>> "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> wrote:
>>
>>>
>>> On 03 Sep 2015, at 13:35 , Robert Webb <rwebb@ropeguru.com> wrote:
>>>>
>>>> We are seeing udp 500 packets being dropped at our firewall from
>>>>user's
>>>> browsing sessions. These are users on a 2008 R2 AD setup with
>>>>Windows 7.
>>>>
>>>> Source and destination ports are udp 500 and the the pattern of
>>>>drops
>>>> directly correlate to the web browsing activity. We have confirmed
>>>>this
>>>> with tcpdump of port 500 and a single host and watching the pattern
>>>>of
>>>> traffic as they browse. This also occurs no matter what browser is
>>>>used.
>>>>
>>>> Can anyone shine some light on what may be using udp 500 when web
>>>> browsing?
>>>>
>>>
>>> The VPN using IPsec UDP-Encap connection that supposedly gets
>>>through
>>> NAT? Have you checked the content with tcpdump? Do you have
>>>fragments
>>> by any chance?
>>>
>>>
> --
> :o@>
