RE: Unexplainable router log entries mentioning IPSEC from Yahoo IPs
Maybe something to do with the shutdown of Yahoo Groups. https://groups.yahoo.com/neo Frank Whiteley From: NANOG On Behalf Of Matthew Petach Sent: Saturday, December 19, 2020 7:04 AM To: Dobbins, Roland Cc: NANOG Subject: Re: Unexplainable router log entries mentioning IPSEC from Yahoo IPs In this case, however, what's being seen is simply valid traffic which was most likely erroneously redirected through an internal encryption device. I would hazard a guess the folks involved have already jumped on checking the redirector rules to fix the leakage which allowed external IPs to be passed through the internal encryption pathway. I helped build the system that's causing those messages, so I have a bit of a guess as to what the issue is. I'm no longer an employee, however, so I can't fix the issue. But in this case, those boxes really aren't trying to attack you--they just aren't supposed to be sending traffic externally like that. So, it actually is good to speak up about this traffic--because it's a fixable issue, and one that should be addressed at the source. Thanks! Matt #notspeakingofficiallyforanyoneoranything On Fri, Dec 18, 2020 at 9:05 PM Dobbins, Roland mailto:roland.dobb...@netscout.com> > wrote: On Dec 19, 2020, at 01:19, Frank Bulk mailto:frnk...@iname.com> > wrote: Curious if someone can point me in the right direction. In the last three days our core router (Cisco 7609) has logged the following events: Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20 It should be noted that attackers will sometimes generate non-TCP/-UDP/-ICMP DDoS attack traffic which is intended to bypass ACLs, firewall rules, etc. which only take the more common protocols into account. They'll often pick ESP (protocol 50, AH (protocol 51), or GRE (protocol 47) in order to try & masquerade the attack traffic as legitimate VPN or tunneled traffic. And the source IPs of this attack traffic are frequently spoofed, as well. Roland Dobbins mailto:roland.dobb...@netscout.com> >
Re: Unexplainable router log entries mentioning IPSEC from Yahoo IPs
In this case, however, what's being seen is simply valid traffic which was most likely erroneously redirected through an internal encryption device. I would hazard a guess the folks involved have already jumped on checking the redirector rules to fix the leakage which allowed external IPs to be passed through the internal encryption pathway. I helped build the system that's causing those messages, so I have a bit of a guess as to what the issue is. I'm no longer an employee, however, so I can't fix the issue. But in this case, those boxes really aren't trying to attack you--they just aren't supposed to be sending traffic externally like that. So, it actually is good to speak up about this traffic--because it's a fixable issue, and one that should be addressed at the source. Thanks! Matt #notspeakingofficiallyforanyoneoranything On Fri, Dec 18, 2020 at 9:05 PM Dobbins, Roland wrote: > > > On Dec 19, 2020, at 01:19, Frank Bulk wrote: > > Curious if someone can point me in the right direction. In the last three > days our core router (Cisco 7609) has logged the following events: > > Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC > packet has invalid spi for destaddr=, prot=50, > spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20 > > > It should be noted that attackers will sometimes generate > non-TCP/-UDP/-ICMP DDoS attack traffic which is intended to bypass ACLs, > firewall rules, etc. which only take the more common protocols into > account. They'll often pick ESP (protocol 50, AH (protocol 51), or GRE > (protocol 47) in order to try & masquerade the attack traffic as legitimate > VPN or tunneled traffic. > > And the source IPs of this attack traffic are frequently spoofed, as well. > > > > Roland Dobbins > > >
Re: Unexplainable router log entries mentioning IPSEC from Yahoo IPs
On Dec 19, 2020, at 01:19, Frank Bulk wrote: Curious if someone can point me in the right direction. In the last three days our core router (Cisco 7609) has logged the following events: Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20 It should be noted that attackers will sometimes generate non-TCP/-UDP/-ICMP DDoS attack traffic which is intended to bypass ACLs, firewall rules, etc. which only take the more common protocols into account. They'll often pick ESP (protocol 50, AH (protocol 51), or GRE (protocol 47) in order to try & masquerade the attack traffic as legitimate VPN or tunneled traffic. And the source IPs of this attack traffic are frequently spoofed, as well. Roland Dobbins
Re: Unexplainable router log entries mentioning IPSEC from Yahoo IPs
Yes, we saw them as well: Dec 18 10:02:00: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.102 Dec 18 08:55:18: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.2 Dec 18 08:05:30: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.4 Dec 18 07:47:35: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.19 Dec 18 07:15:34: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.38 Dec 18 07:09:59: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.100 Dec 18 06:54:57: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.22 Dec 18 06:46:54: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.17 Dec 18 06:38:24: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.35 Dec 18 06:11:09: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.101 Dec 18 05:50:20: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.35 Dec 18 05:49:23: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.7 Dec 18 05:42:18: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.33 Dec 18 05:30:41: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.8 Dec 18 05:24:58: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.21 Dec 18 03:19:04: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.18 Dec 18 05:11:08: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.8 Dec 18 05:09:08: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.33 Dec 18 04:59:50: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.49 Dec 18 04:49:09: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.35 Dec 18 04:28:32: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.52 Dec 18 02:23:25: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.101 Dec 18 04:10:48: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.38 Dec 18 03:13:41: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.36 Dec 18 02:53:18: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933)
Re: Unexplainable router log entries mentioning IPSEC from Yahoo IPs
Frank- I'll contact you directly about this. On Fri, Dec 18, 2020 at 1:20 PM Frank Bulk wrote: > Curious if someone can point me in the right direction. In the last three > days our core router (Cisco 7609) has logged the following events: > > Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC > packet has invalid spi for destaddr=, prot=50, > spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20 > Dec 16 20:41:47.822 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC > packet has invalid spi for destaddr=, prot=50, > spi=0xEF7ED795(4018067349), srcaddr=203.84.212.18, input interface=Vlan20 > Dec 16 21:28:12.667 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC > packet has invalid spi for destaddr=, prot=50, > spi=0xEF7ED795(4018067349), srcaddr=68.180.160.36, input interface=Vlan21 > Dec 16 22:22:40.558 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC > packet has invalid spi for destaddr=, prot=50, > spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan21 > Dec 16 22:42:17.404 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC > packet has invalid spi for destaddr=, prot=50, > spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan20 > Dec 17 00:04:34.704 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC > packet has invalid spi for destaddr=, prot=50, > spi=0xEF7ED795(4018067349), srcaddr=68.180.160.34, input interface=Vlan21 > Dec 17 00:05:41.656 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC > packet has invalid spi for destaddr=, prot=50, > spi=0xEF7ED795(4018067349), srcaddr=68.180.160.103, input interface=Vlan20 > Dec 17 08:54:29.583 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC > packet has invalid spi for destaddr=, prot=50, > spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.104, input interface=Vlan21 > Dec 17 09:20:31.881 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC > packet has invalid spi for destaddr=, prot=50, > spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.37, input interface=Vlan21 > Dec 17 19:45:29.615 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC > packet has invalid spi for destaddr=, prot=50, > spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.36, input interface=Vlan20 > Dec 17 19:59:52.663 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC > packet has invalid spi for destaddr=, prot=50, > spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.24, input interface=Vlan20 > Dec 17 23:20:02.869 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC > packet has invalid spi for destaddr=, prot=50, > spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.99, input interface=Vlan21 > Dec 18 00:15:19.536 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC > packet has invalid spi for destaddr=, prot=50, > spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.53, input interface=Vlan21 > Dec 18 00:43:00.158 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC > packet has invalid spi for destaddr=, prot=50, > spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.101, input interface=Vlan20 > Dec 18 00:44:52.018 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC > packet has invalid spi for destaddr=, prot=50, > spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.100, input interface=Vlan21 > > > All the destination IP addresses are in one of two categories: > - router interface > - inactive IP (no ARP entry) > > Vlans 20 and 21 are the Vlans facing our two edge/border routers. > > If I do a PTR lookup of each source IP, they're all some kind of > cryptographic server in Yahoo's network: > > 203.84.212.18|18.212.84.203.in-addr.arpa domain name pointer > lo301.cry1.sg3.yahoo.com. > 203.84.212.24|24.212.84.203.in-addr.arpa domain name pointer > lo303.cry2.sg3.yahoo.com. > 203.84.212.36|36.212.84.203.in-addr.arpa domain name pointer > lo303.cry1.tw1.yahoo.com. > 203.84.212.53|53.212.84.203.in-addr.arpa domain name pointer > lo300.cry2.tp2.yahoo.com. > 68.180.160.100|100.160.180.68.in-addr.arpa domain name pointer > lo303.cry1.md2.yahoo.com. > 68.180.160.101|101.160.180.68.in-addr.arpa domain name pointer > lo300.cry2.md2.yahoo.com. > 68.180.160.103|103.160.180.68.in-addr.arpa domain name pointer > lo302.cry2.md2.yahoo.com. > 68.180.160.104|104.160.180.68.in-addr.arpa domain name pointer > lo303.cry2.md2.yahoo.com. > 68.180.160.18|18.160.180.68.in-addr.arpa domain name pointer > lo301.cry1.ne1.yahoo.com. > 68.180.160.34|34.160.180.68.in-addr.arpa domain name pointer > lo301.cry1.bf1.yahoo.com. > 68.180.160.36|36.160.180.68.in-addr.arpa domain name pointer > lo303.cry1.bf1.yahoo.com. > 68.180.160.37|37.160.180.68.in-addr.arpa domain name pointer > lo300.cry2.bf1.yahoo.com. > 68.180.160.99|99.160.180.68.in-addr.arpa domain name pointer > lo302.cry1.md2.yahoo.com. > > Any idea what's going on here? It's as if our 7600 is inspecting this > traffic (presumably because it's not transit, it's being processed by the > CPU) and seeing something special about it. Even if the router is not > behaving
Unexplainable router log entries mentioning IPSEC from Yahoo IPs
Curious if someone can point me in the right direction. In the last three days our core router (Cisco 7609) has logged the following events: Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20 Dec 16 20:41:47.822 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=, prot=50, spi=0xEF7ED795(4018067349), srcaddr=203.84.212.18, input interface=Vlan20 Dec 16 21:28:12.667 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.36, input interface=Vlan21 Dec 16 22:22:40.558 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan21 Dec 16 22:42:17.404 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan20 Dec 17 00:04:34.704 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.34, input interface=Vlan21 Dec 17 00:05:41.656 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.103, input interface=Vlan20 Dec 17 08:54:29.583 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.104, input interface=Vlan21 Dec 17 09:20:31.881 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.37, input interface=Vlan21 Dec 17 19:45:29.615 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.36, input interface=Vlan20 Dec 17 19:59:52.663 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.24, input interface=Vlan20 Dec 17 23:20:02.869 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.99, input interface=Vlan21 Dec 18 00:15:19.536 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.53, input interface=Vlan21 Dec 18 00:43:00.158 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.101, input interface=Vlan20 Dec 18 00:44:52.018 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.100, input interface=Vlan21 All the destination IP addresses are in one of two categories: - router interface - inactive IP (no ARP entry) Vlans 20 and 21 are the Vlans facing our two edge/border routers. If I do a PTR lookup of each source IP, they're all some kind of cryptographic server in Yahoo's network: 203.84.212.18|18.212.84.203.in-addr.arpa domain name pointer lo301.cry1.sg3.yahoo.com. 203.84.212.24|24.212.84.203.in-addr.arpa domain name pointer lo303.cry2.sg3.yahoo.com. 203.84.212.36|36.212.84.203.in-addr.arpa domain name pointer lo303.cry1.tw1.yahoo.com. 203.84.212.53|53.212.84.203.in-addr.arpa domain name pointer lo300.cry2.tp2.yahoo.com. 68.180.160.100|100.160.180.68.in-addr.arpa domain name pointer lo303.cry1.md2.yahoo.com. 68.180.160.101|101.160.180.68.in-addr.arpa domain name pointer lo300.cry2.md2.yahoo.com. 68.180.160.103|103.160.180.68.in-addr.arpa domain name pointer lo302.cry2.md2.yahoo.com. 68.180.160.104|104.160.180.68.in-addr.arpa domain name pointer lo303.cry2.md2.yahoo.com. 68.180.160.18|18.160.180.68.in-addr.arpa domain name pointer lo301.cry1.ne1.yahoo.com. 68.180.160.34|34.160.180.68.in-addr.arpa domain name pointer lo301.cry1.bf1.yahoo.com. 68.180.160.36|36.160.180.68.in-addr.arpa domain name pointer lo303.cry1.bf1.yahoo.com. 68.180.160.37|37.160.180.68.in-addr.arpa domain name pointer lo300.cry2.bf1.yahoo.com. 68.180.160.99|99.160.180.68.in-addr.arpa domain name pointer lo302.cry1.md2.yahoo.com. Any idea what's going on here? It's as if our 7600 is inspecting this traffic (presumably because it's not transit, it's being processed by the CPU) and seeing something special about it. Even if the router is not behaving correctly, why is Yahoo sending that kind of traffic to those IPs? Frank AS53347
