cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
530
Views
1
Helpful
7
Replies

Internet/SP Increase in IPSEC probes (ESP)

f00z
Level 3
Level 3

Has anyone else seen an excessive amount of ESP probes being sent to every public IP address . Makes me think there's a new exploit out.  Check logs on the routers.  Haven't ever in past 20 years seen this much probing using ESP packets.  Just a heads up

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

what device model and what IOS code running, do you have some output which show us the symptom, or this could be bug ? 

what device other side ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

It's not one device.  We have a large network on the internet (service provider) and I'm seeing this across all devices , basically someone's probing the entire internet with ESP packets (seeing it hit all of our router public IPs, loopbacks, etc.).  Normal internet traffic never hits the router IPs so we kind of use these as honeypots to record all traffic destined to them (i.e. they are our infrastructure IPs and filtered at the edge, but we capture all dropped packets to them -- and it's a lot of different ips not just one subnet for example, quite a big list) , constantly seeing TCP probes of course (syn scans), but recently have been seeing large amounts of ESP.

The post is just wondering if there might be an exploit for some devices, maybe not Cisco, but maybe also Cisco Like the ios-xe http bug.   All I'm saying is that we are seeing massive amounts of ESP packets to IP addresses which should never receive anything and giving people a heads up that there must be some sort of exploit/ddos reflection or something that is causing hackers to launch the scans.

The huge increase in ESP traffic started on Nov 9 and is still happening. Coming from numerous source IPs and going to a large amount of destination IPs through our network.  Can see it on flow data to way more than our infrastructure ips .

You use DMVPN?

If yes this ESP packet is nhrp request encapsulate inside esp.

Also I need to check if keepalive also encapsulate inside esp or not.

We do not use DMVPN. All of these packets are dropped by our ACLs.. It's just very strange that all of a sudden on Nov 9 we are seeing ESP across the board to IPs that should never receive anything, plus all the downstream customer IPs are receiving it too (basically the entire internet is most likely being scanned).

A capture of one of the packet looks like this:

16:50:50.779104 IP (tos 0x3,CE, ttl 248, id 65530, offset 0, flags [none], proto ESP (50), length 1388)
14.226.65.120 > x.x.x.x: ESP(spi=0xadfd0000,seq=0x5589991), length 1368
0x0000: 4503 056c fffa 0000 f832 fdf0 0ee2 4178 E..l.....2....Ax
0x0010: xxxx 29d6 adfd 0000 0558 9991 1100 0000 EA)......X......
0x0020: 3133 3630 0086 4300 1100 0000 810c 0000 1360..C.........
0x0030: 0886 4300 0886 4300 0000 0000 0000 0000 ..C...C.........
0x0040: 0000 0000 0000 0000 1101 0000 610c 0000 ............a...
0x0050: 0886 4300 0886 4300 0000 0000 0000 0000 ..C...C.........
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
..clipped.. it's all zeroes until the end:
0x0560: 0000 0000 0000 0000 0000 0000 ............

This is just one of the source ips , there are thousands

Here's another one to another non-used IP:

17:06:42.079919 IP (tos 0x3,CE, ttl 248, id 65530, offset 0, flags [none], proto ESP (50), length 29)
14.226.65.120 > x.x.0.73: ESP(spi=0xab410000,seq=0x9e9af), length 9
0x0000: 4503 001d fffa 0000 f832 99e7 0ee2 4178 E........2....Ax
0x0010: xxxx 0049 ab41 0000 0009 e9af 1100 0000 .&.I.A..........
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............

Another:

17:11:36.294249 IP (tos 0xff,CE, ttl 250, id 65530, offset 0, flags [none], proto ESP (50), length 1388)
139.255.10.2 > x.x.19.155: ESP(spi=0xa3230000,seq=0x558527c), length 1368
0x0000: 45ff 056c fffa 0000 fa32 cfe9 8bff 0a02 E..l.....2......
0x0010: xxxx 139b a323 0000 0558 527c 1100 0000 @....#...XR|....
0x0020: 3133 3630 0085 4300 1100 0000 d10b 0000 1360..C.........
0x0030: f885 4300 f885 4300 0000 0000 0000 0000 ..C...C.........
0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................

If you use ACL in interface face internet and drop any ipsec esp you will protect your network from these esp traffic.

Capture esp not useful since the data is encrypted within esp.

I know this, I was posting because normally when there's a lot of traffic of a certain protocol or even a tcp port number or udp packets that match a certain pattern, it is an indication of a new exploit or ddos method. It is not affecting us in any way; I was posting to let the community know to look out for it and also to find out what or why is going on (i.e. i want to know what the exploit is at some point)

Many thanks and also it good idea to inform your ISP team about this DDoS' it will effect all costumers.

Thanks again 

Have a good day 

MHM

Review Cisco Networking for a $25 gift card