> > Last week somebody on the internet started a campaign to scan and perhaps > to exploit some zero day ipsec vulnerabilities. >
I've seen traffic like this for the better part of at least the last 7 years, fairly consistently. It's definitely not something new. On Mon, Nov 13, 2023 at 12:42 PM Adrian Minta <[email protected]> wrote: > On 11/13/23 19:10, Shawn L via NANOG wrote: > > Is anyone else seeing a lot of 'strange' IPSEC traffic? We started seeing > logs of IPSEC with invalid spi on Friday. We're seeing it on pretty much > all of our PE routers, none of which are setup to do anything VPN related. > Most are just routing local customer traffic. > > > > decaps: rec'd IPSEC packet has invalid spi for destaddr=X.X.X.X, prot=50, > spi=0x9D2D0000(2636972032), srcaddr=211.112.195.167, input > interface=TenGigabitEthernet0/0/11 > > > > decaps: rec'd IPSEC packet has invalid spi for destaddr=Y.Y.Y.Y, prot=50, > spi=0x14690000(342425600), srcaddr=74.116.56.244, input > interface=TenGigabitEthernet0/0/5 > > > > The destination address is always one of our customer's ip addresses. The > source seems to be all over the place, mostly Russia, Korea, China or south > east asia. It's not really impacting anything at the moment, just rather > annoying. > > > > Thanks > > > > Shawn > > > Hi Shawn, > > we saw a lot of syslog messages like these and the targets are cisco > devices, some of witch, according to the data sheets, are not even capable > of ipsec. > > Cisco is punting some ESP traffic to control plane on ios and ios-xe > devices, regardless of the configuration. > > Last week somebody on the internet started a campaign to scan and perhaps > to exploit some zero day ipsec vulnerabilities. > > > This is the list of ip addresses we saw: https://pastebin.com/vrLRai9Q > > > > -- > Best regards, > Adrian Minta > > > >
