cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
560
Views
0
Helpful
7
Replies
Beginner

Crypto invalid SPI attacks from different internet ip addresses


Hi,

 

well finally i had to come here and post my problem as i have been working on it since long but couldn't understand why this happening. from past few days, i have been receiving the following logs on my core router. it looks like some kind of attack as the same ip addresses were used to cause fragment table over flow few months ago.

 

here are the logs:

 

Sep 9 19:41:01.602 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=93.248.110.50, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=Vlan125
Sep 9 20:05:06.117 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.18, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=GigabitEthernet0/0
Sep 9 20:07:20.912 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.244.124.159, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=Vlan5
Sep 9 20:08:24.408 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.33, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=GigabitEthernet0/0
Sep 9 20:13:30.323 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.32, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=GigabitEthernet0/0
Sep 9 20:15:42.206 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=65.194.58.142, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=Vlan5
Sep 9 20:21:26.385 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=27.246.58.122, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=Vlan75
Sep 10 01:49:11.332 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.18, prot=50, spi=0x20C96B00(550071040), srcaddr=182.184.108.16, input interface=GigabitEthernet0/0
Sep 10 10:39:29.699 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.18, prot=50, spi=0x5EF172B8(1592881848), srcaddr=27.230.58.228, input interface=GigabitEthernet0/0
Sep 10 16:45:33.730 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.18, prot=50, spi=0x37EA7053(938111059), srcaddr=27.246.58.178, input interface=GigabitEthernet0/0

 

these ip addresses causing invalid SPI errors even on those interfaces where i haven't enabled ISAKMP.

 

what are those? is this some kind of attack? are they trying to bring my router down or what? or trying to hijack vpn sessions?

 

or is the preshared key of my site to site vpn peers has been hacked?

Everyone's tags (6)
7 REPLIES 7
VIP Advisor

Re: Crypto invalid SPI attacks from different internet ip addresses

This message means that you received an encrypted packet but since you
don't have active SA, the packets were dropped. It can be a mis configured
VPN peer or an attack. If you aren't running VPN anyway, configure an ACL
on the interface to deny udp any any eq 4500 and deny udp any any eq 500.
This way you won't see these packets and will protect router resources
Beginner

Re: Crypto invalid SPI attacks from different internet ip addresses

I'm running few site to site and remote access vpn on this router but the addresses in the logs don't belong to any of client or remote branch of our.

First i was receiving ip fragment attacks from these ip addresses but when i blocked them there, they started to do these vpn attacks.
VIP Advisor

Re: Crypto invalid SPI attacks from different internet ip addresses

What happens when you enable invalid-spi-recovery on the router?
Beginner

Re: Crypto invalid SPI attacks from different internet ip addresses

It is enabled already since a long ago.
Beginner

Re: Crypto invalid SPI attacks from different internet ip addresses

can we prevent this attack? 

Re: Crypto invalid SPI attacks from different internet ip addresses

Same logs Same IP address and everything. Looks like an attacker to me.

Beginner

Re: Crypto invalid SPI attacks from different internet ip addresses

Yes it is an attack for sure. I am waiting for someone to come up and help us.