Unexplainable router log entries mentioning IPSEC from Yahoo IPs
Curious if someone can point me in the right direction. In the last three days our core router (Cisco 7609) has logged the following events: Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20 Dec 16 20:41:47.822 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=203.84.212.18, input interface=Vlan20 Dec 16 21:28:12.667 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.36, input interface=Vlan21 Dec 16 22:22:40.558 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan21 Dec 16 22:42:17.404 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan20 Dec 17 00:04:34.704 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.34, input interface=Vlan21 Dec 17 00:05:41.656 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.103, input interface=Vlan20 Dec 17 08:54:29.583 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.104, input interface=Vlan21 Dec 17 09:20:31.881 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.37, input interface=Vlan21 Dec 17 19:45:29.615 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.36, input interface=Vlan20 Dec 17 19:59:52.663 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.24, input interface=Vlan20 Dec 17 23:20:02.869 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.99, input interface=Vlan21 Dec 18 00:15:19.536 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.53, input interface=Vlan21 Dec 18 00:43:00.158 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.101, input interface=Vlan20 Dec 18 00:44:52.018 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.100, input interface=Vlan21 All the destination IP addresses are in one of two categories: - router interface - inactive IP (no ARP entry) Vlans 20 and 21 are the Vlans facing our two edge/border routers. If I do a PTR lookup of each source IP, they're all some kind of cryptographic server in Yahoo's network: 203.84.212.18|18.212.84.203.in-addr.arpa domain name pointer lo301.cry1.sg3.yahoo.com. 203.84.212.24|24.212.84.203.in-addr.arpa domain name pointer lo303.cry2.sg3.yahoo.com. 203.84.212.36|36.212.84.203.in-addr.arpa domain name pointer lo303.cry1.tw1.yahoo.com. 203.84.212.53|53.212.84.203.in-addr.arpa domain name pointer lo300.cry2.tp2.yahoo.com. 68.180.160.100|100.160.180.68.in-addr.arpa domain name pointer lo303.cry1.md2.yahoo.com. 68.180.160.101|101.160.180.68.in-addr.arpa domain name pointer lo300.cry2.md2.yahoo.com. 68.180.160.103|103.160.180.68.in-addr.arpa domain name pointer lo302.cry2.md2.yahoo.com. 68.180.160.104|104.160.180.68.in-addr.arpa domain name pointer lo303.cry2.md2.yahoo.com. 68.180.160.18|18.160.180.68.in-addr.arpa domain name pointer lo301.cry1.ne1.yahoo.com. 68.180.160.34|34.160.180.68.in-addr.arpa domain name pointer lo301.cry1.bf1.yahoo.com. 68.180.160.36|36.160.180.68.in-addr.arpa domain name pointer lo303.cry1.bf1.yahoo.com. 68.180.160.37|37.160.180.68.in-addr.arpa domain name pointer lo300.cry2.bf1.yahoo.com. 68.180.160.99|99.160.180.68.in-addr.arpa domain name pointer lo302.cry1.md2.yahoo.com. Any idea what's going on here? It's as if our 7600 is inspecting this traffic (presumably because it's not transit, it's being processed by the CPU) and seeing something special about it. Even if the router is not behaving correctly, why is Yahoo sending that kind of traffic to those IPs? Frank AS53347
Frank- I'll contact you directly about this. On Fri, Dec 18, 2020 at 1:20 PM Frank Bulk <frnkblk@iname.com> wrote:
Curious if someone can point me in the right direction. In the last three days our core router (Cisco 7609) has logged the following events:
Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20 Dec 16 20:41:47.822 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=203.84.212.18, input interface=Vlan20 Dec 16 21:28:12.667 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.36, input interface=Vlan21 Dec 16 22:22:40.558 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan21 Dec 16 22:42:17.404 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan20 Dec 17 00:04:34.704 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.34, input interface=Vlan21 Dec 17 00:05:41.656 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.103, input interface=Vlan20 Dec 17 08:54:29.583 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.104, input interface=Vlan21 Dec 17 09:20:31.881 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.37, input interface=Vlan21 Dec 17 19:45:29.615 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.36, input interface=Vlan20 Dec 17 19:59:52.663 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.24, input interface=Vlan20 Dec 17 23:20:02.869 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.99, input interface=Vlan21 Dec 18 00:15:19.536 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.53, input interface=Vlan21 Dec 18 00:43:00.158 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.101, input interface=Vlan20 Dec 18 00:44:52.018 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.100, input interface=Vlan21
All the destination IP addresses are in one of two categories: - router interface - inactive IP (no ARP entry)
Vlans 20 and 21 are the Vlans facing our two edge/border routers.
If I do a PTR lookup of each source IP, they're all some kind of cryptographic server in Yahoo's network:
203.84.212.18|18.212.84.203.in-addr.arpa domain name pointer lo301.cry1.sg3.yahoo.com. 203.84.212.24|24.212.84.203.in-addr.arpa domain name pointer lo303.cry2.sg3.yahoo.com. 203.84.212.36|36.212.84.203.in-addr.arpa domain name pointer lo303.cry1.tw1.yahoo.com. 203.84.212.53|53.212.84.203.in-addr.arpa domain name pointer lo300.cry2.tp2.yahoo.com. 68.180.160.100|100.160.180.68.in-addr.arpa domain name pointer lo303.cry1.md2.yahoo.com. 68.180.160.101|101.160.180.68.in-addr.arpa domain name pointer lo300.cry2.md2.yahoo.com. 68.180.160.103|103.160.180.68.in-addr.arpa domain name pointer lo302.cry2.md2.yahoo.com. 68.180.160.104|104.160.180.68.in-addr.arpa domain name pointer lo303.cry2.md2.yahoo.com. 68.180.160.18|18.160.180.68.in-addr.arpa domain name pointer lo301.cry1.ne1.yahoo.com. 68.180.160.34|34.160.180.68.in-addr.arpa domain name pointer lo301.cry1.bf1.yahoo.com. 68.180.160.36|36.160.180.68.in-addr.arpa domain name pointer lo303.cry1.bf1.yahoo.com. 68.180.160.37|37.160.180.68.in-addr.arpa domain name pointer lo300.cry2.bf1.yahoo.com. 68.180.160.99|99.160.180.68.in-addr.arpa domain name pointer lo302.cry1.md2.yahoo.com.
Any idea what's going on here? It's as if our 7600 is inspecting this traffic (presumably because it's not transit, it's being processed by the CPU) and seeing something special about it. Even if the router is not behaving correctly, why is Yahoo sending that kind of traffic to those IPs?
Frank AS53347
Yes, we saw them as well: Dec 18 10:02:00: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.102 Dec 18 08:55:18: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.2 Dec 18 08:05:30: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.4 Dec 18 07:47:35: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.19 Dec 18 07:15:34: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.38 Dec 18 07:09:59: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.100 Dec 18 06:54:57: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.22 Dec 18 06:46:54: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.17 Dec 18 06:38:24: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.35 Dec 18 06:11:09: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.101 Dec 18 05:50:20: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.35 Dec 18 05:49:23: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.7 Dec 18 05:42:18: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.33 Dec 18 05:30:41: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.8 Dec 18 05:24:58: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.21 Dec 18 03:19:04: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.18 Dec 18 05:11:08: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.8 Dec 18 05:09:08: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.33 Dec 18 04:59:50: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.49 Dec 18 04:49:09: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.35 Dec 18 04:28:32: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.52 Dec 18 02:23:25: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.101 Dec 18 04:10:48: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.38 Dec 18 03:13:41: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.36 Dec 18 02:53:18: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.20 Dec 18 02:49:16: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.51 Dec 18 02:45:59: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=66.196.91.232 Dec 18 02:42:21: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.23 Dec 18 02:33:05: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.37 Dec 18 02:30:46: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.50 Dec 18 02:23:02: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.20 Dec 18 00:57:45: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.50 Dec 17 17:06:12: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.18 Dec 17 14:45:06.899: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.34 Dec 17 16:38:03: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.37 Dec 17 16:28:13: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.40 Dec 17 16:24:06: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.99 Dec 17 15:14:03: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.40 Dec 17 15:06:40: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.100 Dec 17 08:57:00: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0xEF7ED795(4018067349) srcaddr=68.180.160.23 Dec 17 08:25:36: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0xEF7ED795(4018067349) srcaddr=68.180.160.104 Dec 17 08:11:54: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0xEF7ED795(4018067349) srcaddr=68.180.160.19 Dec 17 07:22:22: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0xEF7ED795(4018067349) srcaddr=203.84.212.55 Dec 17 06:18:55: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0xEF7ED795(4018067349) srcaddr=68.180.160.20 Dec 17 06:14:35: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0xEF7ED795(4018067349) srcaddr=203.84.212.36 Dec 17 06:13:05: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0xEF7ED795(4018067349) srcaddr=203.84.212.17 Dec 17 05:36:24: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0xEF7ED795(4018067349) srcaddr=203.84.212.53 Dec 17 01:56:17: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0xEF7ED795(4018067349) srcaddr=68.180.160.17 Dec 17 03:27:47: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted> prot=50 spi=0xEF7ED795(4018067349) srcaddr=203.84.212.34 -- Best regards, Adrian Minta
On Dec 19, 2020, at 01:19, Frank Bulk <frnkblk@iname.com> wrote: Curious if someone can point me in the right direction. In the last three days our core router (Cisco 7609) has logged the following events: Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20 It should be noted that attackers will sometimes generate non-TCP/-UDP/-ICMP DDoS attack traffic which is intended to bypass ACLs, firewall rules, etc. which only take the more common protocols into account. They'll often pick ESP (protocol 50, AH (protocol 51), or GRE (protocol 47) in order to try & masquerade the attack traffic as legitimate VPN or tunneled traffic. And the source IPs of this attack traffic are frequently spoofed, as well. -------------------------------------------- Roland Dobbins <roland.dobbins@netscout.com>
In this case, however, what's being seen is simply valid traffic which was most likely erroneously redirected through an internal encryption device. I would hazard a guess the folks involved have already jumped on checking the redirector rules to fix the leakage which allowed external IPs to be passed through the internal encryption pathway. I helped build the system that's causing those messages, so I have a bit of a guess as to what the issue is. I'm no longer an employee, however, so I can't fix the issue. But in this case, those boxes really aren't trying to attack you--they just aren't supposed to be sending traffic externally like that. So, it actually is good to speak up about this traffic--because it's a fixable issue, and one that should be addressed at the source. Thanks! Matt #notspeakingofficiallyforanyoneoranything On Fri, Dec 18, 2020 at 9:05 PM Dobbins, Roland <Roland.Dobbins@netscout.com> wrote:
On Dec 19, 2020, at 01:19, Frank Bulk <frnkblk@iname.com> wrote:
Curious if someone can point me in the right direction. In the last three days our core router (Cisco 7609) has logged the following events:
Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20
It should be noted that attackers will sometimes generate non-TCP/-UDP/-ICMP DDoS attack traffic which is intended to bypass ACLs, firewall rules, etc. which only take the more common protocols into account. They'll often pick ESP (protocol 50, AH (protocol 51), or GRE (protocol 47) in order to try & masquerade the attack traffic as legitimate VPN or tunneled traffic.
And the source IPs of this attack traffic are frequently spoofed, as well.
--------------------------------------------
Roland Dobbins <roland.dobbins@netscout.com>
Maybe something to do with the shutdown of Yahoo Groups. https://groups.yahoo.com/neo Frank Whiteley From: NANOG <nanog-bounces+techzone=greeleynet.com@nanog.org> On Behalf Of Matthew Petach Sent: Saturday, December 19, 2020 7:04 AM To: Dobbins, Roland <Roland.Dobbins@netscout.com> Cc: NANOG <nanog@nanog.org> Subject: Re: Unexplainable router log entries mentioning IPSEC from Yahoo IPs In this case, however, what's being seen is simply valid traffic which was most likely erroneously redirected through an internal encryption device. I would hazard a guess the folks involved have already jumped on checking the redirector rules to fix the leakage which allowed external IPs to be passed through the internal encryption pathway. I helped build the system that's causing those messages, so I have a bit of a guess as to what the issue is. I'm no longer an employee, however, so I can't fix the issue. But in this case, those boxes really aren't trying to attack you--they just aren't supposed to be sending traffic externally like that. So, it actually is good to speak up about this traffic--because it's a fixable issue, and one that should be addressed at the source. Thanks! Matt #notspeakingofficiallyforanyoneoranything On Fri, Dec 18, 2020 at 9:05 PM Dobbins, Roland <Roland.Dobbins@netscout.com <mailto:Roland.Dobbins@netscout.com> > wrote: On Dec 19, 2020, at 01:19, Frank Bulk <frnkblk@iname.com <mailto:frnkblk@iname.com> > wrote: Curious if someone can point me in the right direction. In the last three days our core router (Cisco 7609) has logged the following events: Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20 It should be noted that attackers will sometimes generate non-TCP/-UDP/-ICMP DDoS attack traffic which is intended to bypass ACLs, firewall rules, etc. which only take the more common protocols into account. They'll often pick ESP (protocol 50, AH (protocol 51), or GRE (protocol 47) in order to try & masquerade the attack traffic as legitimate VPN or tunneled traffic. And the source IPs of this attack traffic are frequently spoofed, as well. -------------------------------------------- Roland Dobbins <roland.dobbins@netscout.com <mailto:roland.dobbins@netscout.com> >
participants (6)
-
Adrian Minta
-
Dobbins, Roland
-
Frank Bulk
-
Matthew Petach
-
techzone@greeleynet.com
-
Tom Beecher