[Openswan Users] Are these intrusion attempts?

Paul Wouters paul at xelerance.com
Fri Jun 4 11:22:48 EDT 2010


On Thu, 3 Jun 2010, Nick Howitt wrote:

> I've just noticed all these messages in my /var/log/secure:

> May 31 02:05:18 server pluto[17050]: packet from 76.104.163.12:500: ignoring Vendor ID payload [MS-MamieExists]

Do you know that IP from anything? I assume not?

> May 31 02:05:18 server pluto[17050]: packet from 76.104.163.12:500: af+type of ISAKMP Oakley attribute has an unknown value:
> 16384
> May 31 02:05:18 server pluto[17050]: packet from 76.104.163.12:500: next payload type of ISAKMP Message has an unknown value:
> 133

ISAKMP Oakley attribute 16384 is reserved for private use. It might be a custom implementation, a test implementation,
or a bug.

It seems unlikely this is an attack, but it could be possible I guess. IKE is very hard to attack as it starts out doing
crypto. The pluto daemon tries extremely hard to verify data structures and discards packets that fail the RFC specs.

Paul


More information about the Users mailing list