cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1915
Views
0
Helpful
7
Replies

Crypto invalid SPI attacks from different internet ip addresses

Jameel Ahmed
Level 1
Level 1


Hi,

 

well finally i had to come here and post my problem as i have been working on it since long but couldn't understand why this happening. from past few days, i have been receiving the following logs on my core router. it looks like some kind of attack as the same ip addresses were used to cause fragment table over flow few months ago.

 

here are the logs:

 

Sep 9 19:41:01.602 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=93.248.110.50, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=Vlan125
Sep 9 20:05:06.117 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.18, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=GigabitEthernet0/0
Sep 9 20:07:20.912 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.244.124.159, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=Vlan5
Sep 9 20:08:24.408 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.33, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=GigabitEthernet0/0
Sep 9 20:13:30.323 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.32, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=GigabitEthernet0/0
Sep 9 20:15:42.206 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=65.194.58.142, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=Vlan5
Sep 9 20:21:26.385 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=27.246.58.122, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=Vlan75
Sep 10 01:49:11.332 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.18, prot=50, spi=0x20C96B00(550071040), srcaddr=182.184.108.16, input interface=GigabitEthernet0/0
Sep 10 10:39:29.699 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.18, prot=50, spi=0x5EF172B8(1592881848), srcaddr=27.230.58.228, input interface=GigabitEthernet0/0
Sep 10 16:45:33.730 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.18, prot=50, spi=0x37EA7053(938111059), srcaddr=27.246.58.178, input interface=GigabitEthernet0/0

 

these ip addresses causing invalid SPI errors even on those interfaces where i haven't enabled ISAKMP.

 

what are those? is this some kind of attack? are they trying to bring my router down or what? or trying to hijack vpn sessions?

 

or is the preshared key of my site to site vpn peers has been hacked?

7 Replies 7

This message means that you received an encrypted packet but since you
don't have active SA, the packets were dropped. It can be a mis configured
VPN peer or an attack. If you aren't running VPN anyway, configure an ACL
on the interface to deny udp any any eq 4500 and deny udp any any eq 500.
This way you won't see these packets and will protect router resources

I'm running few site to site and remote access vpn on this router but the addresses in the logs don't belong to any of client or remote branch of our.

First i was receiving ip fragment attacks from these ip addresses but when i blocked them there, they started to do these vpn attacks.

What happens when you enable invalid-spi-recovery on the router?

It is enabled already since a long ago.

can we prevent this attack? 

Same logs Same IP address and everything. Looks like an attacker to me.

Yes it is an attack for sure. I am waiting for someone to come up and help us.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: