11-15-2023 02:05 PM
Has anyone else seen an excessive amount of ESP probes being sent to every public IP address . Makes me think there's a new exploit out. Check logs on the routers. Haven't ever in past 20 years seen this much probing using ESP packets. Just a heads up
11-15-2023 02:22 PM
what device model and what IOS code running, do you have some output which show us the symptom, or this could be bug ?
what device other side ?
11-15-2023 02:29 PM - edited 11-15-2023 02:35 PM
It's not one device. We have a large network on the internet (service provider) and I'm seeing this across all devices , basically someone's probing the entire internet with ESP packets (seeing it hit all of our router public IPs, loopbacks, etc.). Normal internet traffic never hits the router IPs so we kind of use these as honeypots to record all traffic destined to them (i.e. they are our infrastructure IPs and filtered at the edge, but we capture all dropped packets to them -- and it's a lot of different ips not just one subnet for example, quite a big list) , constantly seeing TCP probes of course (syn scans), but recently have been seeing large amounts of ESP.
The post is just wondering if there might be an exploit for some devices, maybe not Cisco, but maybe also Cisco
The huge increase in ESP traffic started on Nov 9 and is still happening. Coming from numerous source IPs and going to a large amount of destination IPs through our network. Can see it on flow data to way more than our infrastructure ips .
11-15-2023 02:57 PM
You use DMVPN?
If yes this ESP packet is nhrp request encapsulate inside esp.
Also I need to check if keepalive also encapsulate inside esp or not.
11-15-2023 03:01 PM - edited 11-15-2023 03:13 PM
We do not use DMVPN. All of these packets are dropped by our ACLs.. It's just very strange that all of a sudden on Nov 9 we are seeing ESP across the board to IPs that should never receive anything, plus all the downstream customer IPs are receiving it too (basically the entire internet is most likely being scanned).
A capture of one of the packet looks like this:
16:50:50.779104 IP (tos 0x3,CE, ttl 248, id 65530, offset 0, flags [none], proto ESP (50), length 1388)
14.226.65.120 > x.x.x.x: ESP(spi=0xadfd0000,seq=0x5589991), length 1368
0x0000: 4503 056c fffa 0000 f832 fdf0 0ee2 4178 E..l.....2....Ax
0x0010: xxxx 29d6 adfd 0000 0558 9991 1100 0000 EA)......X......
0x0020: 3133 3630 0086 4300 1100 0000 810c 0000 1360..C.........
0x0030: 0886 4300 0886 4300 0000 0000 0000 0000 ..C...C.........
0x0040: 0000 0000 0000 0000 1101 0000 610c 0000 ............a...
0x0050: 0886 4300 0886 4300 0000 0000 0000 0000 ..C...C.........
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
..clipped.. it's all zeroes until the end:
0x0560: 0000 0000 0000 0000 0000 0000 ............
This is just one of the source ips , there are thousands
Here's another one to another non-used IP:
17:06:42.079919 IP (tos 0x3,CE, ttl 248, id 65530, offset 0, flags [none], proto ESP (50), length 29)
14.226.65.120 > x.x.0.73: ESP(spi=0xab410000,seq=0x9e9af), length 9
0x0000: 4503 001d fffa 0000 f832 99e7 0ee2 4178 E........2....Ax
0x0010: xxxx 0049 ab41 0000 0009 e9af 1100 0000 .&.I.A..........
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
Another:
17:11:36.294249 IP (tos 0xff,CE, ttl 250, id 65530, offset 0, flags [none], proto ESP (50), length 1388)
139.255.10.2 > x.x.19.155: ESP(spi=0xa3230000,seq=0x558527c), length 1368
0x0000: 45ff 056c fffa 0000 fa32 cfe9 8bff 0a02 E..l.....2......
0x0010: xxxx 139b a323 0000 0558 527c 1100 0000 @....#...XR|....
0x0020: 3133 3630 0085 4300 1100 0000 d10b 0000 1360..C.........
0x0030: f885 4300 f885 4300 0000 0000 0000 0000 ..C...C.........
0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
11-15-2023 03:22 PM
If you use ACL in interface face internet and drop any ipsec esp you will protect your network from these esp traffic.
Capture esp not useful since the data is encrypted within esp.
11-15-2023 03:35 PM
I know this, I was posting because normally when there's a lot of traffic of a certain protocol or even a tcp port number or udp packets that match a certain pattern, it is an indication of a new exploit or ddos method. It is not affecting us in any way; I was posting to let the community know to look out for it and also to find out what or why is going on (i.e. i want to know what the exploit is at some point)
11-15-2023 03:40 PM
Many thanks and also it good idea to inform your ISP team about this DDoS' it will effect all costumers.
Thanks again
Have a good day
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide