udp 500 packets when users are web browsing
We are seeing udp 500 packets being dropped at our firewall from user's browsing sessions. These are users on a 2008 R2 AD setup with Windows 7. Source and destination ports are udp 500 and the the pattern of drops directly correlate to the web browsing activity. We have confirmed this with tcpdump of port 500 and a single host and watching the pattern of traffic as they browse. This also occurs no matter what browser is used. Can anyone shine some light on what may be using udp 500 when web browsing? Robert
On 03 Sep 2015, at 13:35 , Robert Webb <rwebb@ropeguru.com> wrote:
We are seeing udp 500 packets being dropped at our firewall from user's browsing sessions. These are users on a 2008 R2 AD setup with Windows 7.
Source and destination ports are udp 500 and the the pattern of drops directly correlate to the web browsing activity. We have confirmed this with tcpdump of port 500 and a single host and watching the pattern of traffic as they browse. This also occurs no matter what browser is used.
Can anyone shine some light on what may be using udp 500 when web browsing?
The VPN using IPsec UDP-Encap connection that supposedly gets through NAT? Have you checked the content with tcpdump? Do you have fragments by any chance?
There is no VPN in the picture here. These are straight workstations on the network that the packets are coming from. According to a pcaket capture in wireshark, these are isakmp packets reaching out to host names of web sites that are being browsed. So destinations are sites like twitter, facebook, amazon, cnn, etc.. We have further discovered that they seem to be initiated from the Windows 7 svchost, but we have not been able to find documentation as to how or why this is ocurring. Robert On Thu, 3 Sep 2015 13:42:21 +0000 "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> wrote:
On 03 Sep 2015, at 13:35 , Robert Webb <rwebb@ropeguru.com> wrote:
We are seeing udp 500 packets being dropped at our firewall from user's browsing sessions. These are users on a 2008 R2 AD setup with Windows 7.
Source and destination ports are udp 500 and the the pattern of drops directly correlate to the web browsing activity. We have confirmed this with tcpdump of port 500 and a single host and watching the pattern of traffic as they browse. This also occurs no matter what browser is used.
Can anyone shine some light on what may be using udp 500 when web browsing?
The VPN using IPsec UDP-Encap connection that supposedly gets through NAT? Have you checked the content with tcpdump? Do you have fragments by any chance?
Sounds like Opportunistic Encryption. https://en.wikipedia.org/wiki/Opportunistic_encryption#Windows_OS On Thu, Sep 03, 2015 at 09:53:46AM -0400, Robert Webb wrote:
There is no VPN in the picture here. These are straight workstations on the network that the packets are coming from.
According to a pcaket capture in wireshark, these are isakmp packets reaching out to host names of web sites that are being browsed. So destinations are sites like twitter, facebook, amazon, cnn, etc..
We have further discovered that they seem to be initiated from the Windows 7 svchost, but we have not been able to find documentation as to how or why this is ocurring.
Robert
On Thu, 3 Sep 2015 13:42:21 +0000 "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> wrote:
On 03 Sep 2015, at 13:35 , Robert Webb <rwebb@ropeguru.com> wrote:
We are seeing udp 500 packets being dropped at our firewall from user's browsing sessions. These are users on a 2008 R2 AD setup with Windows 7.
Source and destination ports are udp 500 and the the pattern of drops directly correlate to the web browsing activity. We have confirmed this with tcpdump of port 500 and a single host and watching the pattern of traffic as they browse. This also occurs no matter what browser is used.
Can anyone shine some light on what may be using udp 500 when web browsing?
The VPN using IPsec UDP-Encap connection that supposedly gets through NAT? Have you checked the content with tcpdump? Do you have fragments by any chance?
Precisely. On Thu, Sep 3, 2015 at 10:14 AM, Chuck Anderson <cra@wpi.edu> wrote:
Sounds like Opportunistic Encryption.
https://en.wikipedia.org/wiki/Opportunistic_encryption#Windows_OS
On Thu, Sep 03, 2015 at 09:53:46AM -0400, Robert Webb wrote:
There is no VPN in the picture here. These are straight workstations on the network that the packets are coming from.
According to a pcaket capture in wireshark, these are isakmp packets reaching out to host names of web sites that are being browsed. So destinations are sites like twitter, facebook, amazon, cnn, etc..
We have further discovered that they seem to be initiated from the Windows 7 svchost, but we have not been able to find documentation as to how or why this is ocurring.
Robert
On Thu, 3 Sep 2015 13:42:21 +0000 "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> wrote:
On 03 Sep 2015, at 13:35 , Robert Webb <rwebb@ropeguru.com> wrote:
We are seeing udp 500 packets being dropped at our firewall from user's browsing sessions. These are users on a 2008 R2 AD setup with Windows 7.
Source and destination ports are udp 500 and the the pattern of drops directly correlate to the web browsing activity. We have confirmed this with tcpdump of port 500 and a single host and watching the pattern of traffic as they browse. This also occurs no matter what browser is used.
Can anyone shine some light on what may be using udp 500 when web browsing?
The VPN using IPsec UDP-Encap connection that supposedly gets through NAT? Have you checked the content with tcpdump? Do you have fragments by any chance?
-- :o@>
You can configure Windows to encrypt traffic based on protocol definitions. E.g., Use IPSEC to encrypt all traffic on port 80 between hosts X and hosts Y. It's possible that such a policy is in place locally on the workstations and/or servers and it's also possible that it's being enforced using GPOs. On Thu, Sep 3, 2015 at 9:53 AM, Robert Webb <rwebb@ropeguru.com> wrote:
There is no VPN in the picture here. These are straight workstations on the network that the packets are coming from.
According to a pcaket capture in wireshark, these are isakmp packets reaching out to host names of web sites that are being browsed. So destinations are sites like twitter, facebook, amazon, cnn, etc..
We have further discovered that they seem to be initiated from the Windows 7 svchost, but we have not been able to find documentation as to how or why this is ocurring.
Robert
On Thu, 3 Sep 2015 13:42:21 +0000 "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> wrote:
On 03 Sep 2015, at 13:35 , Robert Webb <rwebb@ropeguru.com> wrote:
We are seeing udp 500 packets being dropped at our firewall from user's browsing sessions. These are users on a 2008 R2 AD setup with Windows 7.
Source and destination ports are udp 500 and the the pattern of drops directly correlate to the web browsing activity. We have confirmed this with tcpdump of port 500 and a single host and watching the pattern of traffic as they browse. This also occurs no matter what browser is used.
Can anyone shine some light on what may be using udp 500 when web browsing?
The VPN using IPsec UDP-Encap connection that supposedly gets through NAT? Have you checked the content with tcpdump? Do you have fragments by any chance?
-- :o@>
Yes, we are looking at this now. Thanks for everyone's help. I think we are heading in the right direction tracking this down. This just showed up in our monitoring and makes sense as we just brought up a new locked down domain. Robert On Thu, 3 Sep 2015 10:19:53 -0400 "Oliver O'Boyle" <oliver.oboyle@gmail.com> wrote:
You can configure Windows to encrypt traffic based on protocol definitions. E.g., Use IPSEC to encrypt all traffic on port 80 between hosts X and hosts Y.
It's possible that such a policy is in place locally on the workstations and/or servers and it's also possible that it's being enforced using GPOs.
On Thu, Sep 3, 2015 at 9:53 AM, Robert Webb <rwebb@ropeguru.com> wrote:
There is no VPN in the picture here. These are straight workstations on the network that the packets are coming from.
According to a pcaket capture in wireshark, these are isakmp packets reaching out to host names of web sites that are being browsed. So destinations are sites like twitter, facebook, amazon, cnn, etc..
We have further discovered that they seem to be initiated from the Windows 7 svchost, but we have not been able to find documentation as to how or why this is ocurring.
Robert
On Thu, 3 Sep 2015 13:42:21 +0000 "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> wrote:
On 03 Sep 2015, at 13:35 , Robert Webb <rwebb@ropeguru.com> wrote:
We are seeing udp 500 packets being dropped at our firewall from user's browsing sessions. These are users on a 2008 R2 AD setup with Windows 7.
Source and destination ports are udp 500 and the the pattern of drops directly correlate to the web browsing activity. We have confirmed this with tcpdump of port 500 and a single host and watching the pattern of traffic as they browse. This also occurs no matter what browser is used.
Can anyone shine some light on what may be using udp 500 when web browsing?
The VPN using IPsec UDP-Encap connection that supposedly gets through NAT? Have you checked the content with tcpdump? Do you have fragments by any chance?
-- :o@>
That would do it. Almost certainly enforced by GPO in that case so at least it's easy to change if you need to. On Thu, Sep 3, 2015 at 10:25 AM, Robert Webb <rwebb@ropeguru.com> wrote:
Yes, we are looking at this now.
Thanks for everyone's help. I think we are heading in the right direction tracking this down. This just showed up in our monitoring and makes sense as we just brought up a new locked down domain.
Robert
On Thu, 3 Sep 2015 10:19:53 -0400 "Oliver O'Boyle" <oliver.oboyle@gmail.com> wrote:
You can configure Windows to encrypt traffic based on protocol definitions. E.g., Use IPSEC to encrypt all traffic on port 80 between hosts X and hosts Y.
It's possible that such a policy is in place locally on the workstations and/or servers and it's also possible that it's being enforced using GPOs.
On Thu, Sep 3, 2015 at 9:53 AM, Robert Webb <rwebb@ropeguru.com> wrote:
There is no VPN in the picture here. These are straight workstations on
the network that the packets are coming from.
According to a pcaket capture in wireshark, these are isakmp packets reaching out to host names of web sites that are being browsed. So destinations are sites like twitter, facebook, amazon, cnn, etc..
We have further discovered that they seem to be initiated from the Windows 7 svchost, but we have not been able to find documentation as to how or why this is ocurring.
Robert
On Thu, 3 Sep 2015 13:42:21 +0000 "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> wrote:
On 03 Sep 2015, at 13:35 , Robert Webb <rwebb@ropeguru.com> wrote:
We are seeing udp 500 packets being dropped at our firewall from user's browsing sessions. These are users on a 2008 R2 AD setup with Windows 7.
Source and destination ports are udp 500 and the the pattern of drops directly correlate to the web browsing activity. We have confirmed this with tcpdump of port 500 and a single host and watching the pattern of traffic as they browse. This also occurs no matter what browser is used.
Can anyone shine some light on what may be using udp 500 when web browsing?
The VPN using IPsec UDP-Encap connection that supposedly gets through NAT? Have you checked the content with tcpdump? Do you have fragments by any chance?
-- :o@>
-- :o@>
participants (4)
-
Bjoern A. Zeeb
-
Chuck Anderson
-
Oliver O'Boyle
-
Robert Webb