what would you infer from this scan?

Neil notices that a single address is generating traffic from its port 500 to port 500 of several other machines on the network. This scan is eating up most of the network bandwidth and Neil is concerned. As a security professional, what would you infer from this scan?

Neil notices that a single address is generating traffic from its port 500 to port 500 of several other machines on the network. This scan is eating up most of the network bandwidth and Neil is concerned. As a security professional, what would you infer from this scan?

A.
It is a network fault and the originating machine is in a network loop

B.
It is a worm that is malfunctioning or hardcoded to scan on port 500

C.
The attacker is trying to detect machines on the network which have SSL enabled

D.
The attacker is trying to determine the type of VPN implementation and checking for IPSec

Explanation:
Port 500 is used by IKE (Internet Key Exchange). This is typically used for IPSEC- based VPN software, such as Freeswan, PGPnet, and various vendors of in-a-box VPN solutions such as Cisco. IKE is used to set up the session keys. The actual session is usually sent with ESP (Encapsulated Security Payload) packets, IP protocol 50 (but some in-a-box VPN’s such as Cisco are capable of negotiating to send the encrypted tunnel over a UDP channel, which is useful for use across firewalls that block IP protocols other than TCP or UDP).



Leave a Reply 0

Your email address will not be published. Required fields are marked *