In the last six years, Internet Weather sensors have never detected unsolicited Encapsulating Security Payload (ESP) packets.
This changed on 2023-11-09 14:52:12 when the first ever ESP packet was detected.
ESP (IP protocol number 50) packets are normally used to encapsulate IPsec traffic between VPN endpoints. Outside of this, you would never expect to see this kind of activity traversing your network. Additionally, ESP packets may not be filtered by your edge or client-side (CPE) firewalls. Due to this we recommend checking your firewall configurations to drop this traffic.
Here’s an example to drop ESP traffic using iptables:
sudo iptables -A INPUT -p esp -j DROP
Example unique IPv4 packet header values of ESP traffic we’ve detected:
PROTO=ESP
LEN=29
LEN=1388
ID=65530
SPI=0x77b40000
SPI=0x87700000
SPI=0xc2440000
SPI=0xadac0000
Example source IP address of unsolicited ESP packets:
Note: These hosts may be compromised and/or part of a botnet intentionally sending this traffic.
| IP | 202.113.98.96 |
| Reverse DNS | – |
| Country | China |
| AS Name | China Education and Research Network Center |
| ASN | AS4538 |
| IP | 170.203.203.155 |
| Reverse DNS | customer.sttlwax1.pop.starlinkisp.net |
| Country | Canada |
| AS Name | SPACEX-STARLINK |
| ASN | AS14593 |
| IP | 45.124.59.134 |
| Reverse DNS | ftth-static-134-59-124-45.dctv.com.ph |
| Country | Philippines |
| AS Name | DCTV Cable Network Broadband Services Inc |
| ASN | AS133334 |
| IP | 1.2.128.142 |
| Reverse DNS | node-3y.pool-1-2.dynamic.totinternet.net |
| Country | Thailand |
| AS Name | TOT Public Company Limited |
| ASN | AS23969 |
UPDATE 2023-11-13
NANOG members are also reporting strange IPsec traffic, see this thread for more details:
https://mailman.nanog.org/pipermail/nanog/2023-November/224003.html
Leave a Reply