Sign in with
Sign up | Sign in
Your question

Windows 2000 IPSec Not Blocking Traffic

Last response: in Windows 2000/NT
Share
Anonymous
September 22, 2004 6:01:46 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Folks:

I'm running Windows 2000 Server SP4 (with all critical updates from
windowsupdate.microsoft.com), and am having a strange problem with
IPSec -- at least Network Monitor says I am.

I run IIS, and every day I check the http & ftp logs for attacks on my
server. When I find one, I add the attacker's IP address to the IP
Filter List in my policy, which is set to Block. Windows disregards
the packets from then on, and all is well. I've been doing this for
about a year with no problems.

Today I tried to block IP address 213.222.11.228, but according to
Network Monitor, I'm still sending/receiving TCP data to/from this
address. I tried replacing the specific IP address with an entry to
block the whole subnet, but that didn't help.

Anyone have a guess as to what's going on? Is there perhaps a maximum
number of entries permitted in an IP Filter List? Does any malicious
code exist out there that defeats Windows IPSec?

According to ARIN, 213.222.11.228 is RIPE Network in Amsterdam, which
has always been a hotbed of malicious activity in my experience, so
I'm kind of anxious to get this traffic stopped.

This is what my IPSec policy looks like:

IPSec Policy Name: Default
Policy Assigned: Yes

"Default" Properties:
Rules Tab:
IP Filter List: Hackers
Filter Action: Block
Authentication: Preshared Key (I've tried changing the PSK, but no
improvement)
Tunnel Setting: None
Connection Type: All
General Tab:
[everything at windows defaults]

Rule Properties:
IP Filter List: Hackers (contains hundreds and hundreds of addresses)
Filter Action: Block (contains security method: Block)
Authentication Methods: Preshared Key
Tunnel Setting: This rule does not specify an IPSec tunnel
Connection Type: All network connections

Sample IP Filter List entry:
Addressing Tab:
Source Address: A specific IP address
IP Address: www.xxx.yyy.zzz
Subnet Mask: 255.255.255.255
Destination Address: Any IP address
Mirrored: [selected]
Protocol Tab:
Protocol: Any

Thanks In Advance for Any Help,
--Phil
Anonymous
September 23, 2004 7:49:47 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I have never added that many addresses to a rule and don't know if there is a limit
or not. What you could try is to delete five or so old entries to see if that makes a
difference and then maybe unassign and then assign the policy again. Another thing to
try is to create a new identical rule in your policy with a different name to see if
there is a possible limit that may apply to a rule but not a policy. Also look in
Event Viewer for any errors and run the netdiag support tool to test ipsec as in "
netdiag /test:ipsec /debug " to see if it reports a problem.. --- Steve



"Phil Murnane" <pjmurnane@yahoo.com> wrote in message
news:1052ac4d.0409221301.573e15af@posting.google.com...
> Folks:
>
> I'm running Windows 2000 Server SP4 (with all critical updates from
> windowsupdate.microsoft.com), and am having a strange problem with
> IPSec -- at least Network Monitor says I am.
>
> I run IIS, and every day I check the http & ftp logs for attacks on my
> server. When I find one, I add the attacker's IP address to the IP
> Filter List in my policy, which is set to Block. Windows disregards
> the packets from then on, and all is well. I've been doing this for
> about a year with no problems.
>
> Today I tried to block IP address 213.222.11.228, but according to
> Network Monitor, I'm still sending/receiving TCP data to/from this
> address. I tried replacing the specific IP address with an entry to
> block the whole subnet, but that didn't help.
>
> Anyone have a guess as to what's going on? Is there perhaps a maximum
> number of entries permitted in an IP Filter List? Does any malicious
> code exist out there that defeats Windows IPSec?
>
> According to ARIN, 213.222.11.228 is RIPE Network in Amsterdam, which
> has always been a hotbed of malicious activity in my experience, so
> I'm kind of anxious to get this traffic stopped.
>
> This is what my IPSec policy looks like:
>
> IPSec Policy Name: Default
> Policy Assigned: Yes
>
> "Default" Properties:
> Rules Tab:
> IP Filter List: Hackers
> Filter Action: Block
> Authentication: Preshared Key (I've tried changing the PSK, but no
> improvement)
> Tunnel Setting: None
> Connection Type: All
> General Tab:
> [everything at windows defaults]
>
> Rule Properties:
> IP Filter List: Hackers (contains hundreds and hundreds of addresses)
> Filter Action: Block (contains security method: Block)
> Authentication Methods: Preshared Key
> Tunnel Setting: This rule does not specify an IPSec tunnel
> Connection Type: All network connections
>
> Sample IP Filter List entry:
> Addressing Tab:
> Source Address: A specific IP address
> IP Address: www.xxx.yyy.zzz
> Subnet Mask: 255.255.255.255
> Destination Address: Any IP address
> Mirrored: [selected]
> Protocol Tab:
> Protocol: Any
>
> Thanks In Advance for Any Help,
> --Phil
Anonymous
September 23, 2004 8:58:41 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Steve:

Thanks for the ideas, especially the netdiag one (I'd forgotten about
netdiag entirely). Event Viewer hasn't been reporting anything
unusual. Once I have something to report, I'll post an update.

Thanks Again,
--Phil

> I have never added that many addresses to a rule and don't know if there is a limit
> or not. What you could try is to delete five or so old entries to see if that makes a
> difference and then maybe unassign and then assign the policy again. Another thing to
> try is to create a new identical rule in your policy with a different name to see if
> there is a possible limit that may apply to a rule but not a policy. Also look in
> Event Viewer for any errors and run the netdiag support tool to test ipsec as in "
> netdiag /test:ipsec /debug " to see if it reports a problem.. --- Steve
!