Unexplainable router log entries mentioning IPSEC from Yahoo IPs

Curious if someone can point me in the right direction. In the last three
days our core router (Cisco 7609) has logged the following events:

Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20
Dec 16 20:41:47.822 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=203.84.212.18, input interface=Vlan20
Dec 16 21:28:12.667 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.36, input interface=Vlan21
Dec 16 22:22:40.558 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan21
Dec 16 22:42:17.404 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan20
Dec 17 00:04:34.704 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.34, input interface=Vlan21
Dec 17 00:05:41.656 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.103, input interface=Vlan20
Dec 17 08:54:29.583 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.104, input interface=Vlan21
Dec 17 09:20:31.881 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.37, input interface=Vlan21
Dec 17 19:45:29.615 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.36, input interface=Vlan20
Dec 17 19:59:52.663 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.24, input interface=Vlan20
Dec 17 23:20:02.869 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.99, input interface=Vlan21
Dec 18 00:15:19.536 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.53, input interface=Vlan21
Dec 18 00:43:00.158 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.101, input interface=Vlan20
Dec 18 00:44:52.018 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.100, input interface=Vlan21

All the destination IP addresses are in one of two categories:
- router interface
- inactive IP (no ARP entry)

Vlans 20 and 21 are the Vlans facing our two edge/border routers.

If I do a PTR lookup of each source IP, they're all some kind of
cryptographic server in Yahoo's network:

203.84.212.18|18.212.84.203.in-addr.arpa domain name pointer
lo301.cry1.sg3.yahoo.com.
203.84.212.24|24.212.84.203.in-addr.arpa domain name pointer
lo303.cry2.sg3.yahoo.com.
203.84.212.36|36.212.84.203.in-addr.arpa domain name pointer
lo303.cry1.tw1.yahoo.com.
203.84.212.53|53.212.84.203.in-addr.arpa domain name pointer
lo300.cry2.tp2.yahoo.com.
68.180.160.100|100.160.180.68.in-addr.arpa domain name pointer
lo303.cry1.md2.yahoo.com.
68.180.160.101|101.160.180.68.in-addr.arpa domain name pointer
lo300.cry2.md2.yahoo.com.
68.180.160.103|103.160.180.68.in-addr.arpa domain name pointer
lo302.cry2.md2.yahoo.com.
68.180.160.104|104.160.180.68.in-addr.arpa domain name pointer
lo303.cry2.md2.yahoo.com.
68.180.160.18|18.160.180.68.in-addr.arpa domain name pointer
lo301.cry1.ne1.yahoo.com.
68.180.160.34|34.160.180.68.in-addr.arpa domain name pointer
lo301.cry1.bf1.yahoo.com.
68.180.160.36|36.160.180.68.in-addr.arpa domain name pointer
lo303.cry1.bf1.yahoo.com.
68.180.160.37|37.160.180.68.in-addr.arpa domain name pointer
lo300.cry2.bf1.yahoo.com.
68.180.160.99|99.160.180.68.in-addr.arpa domain name pointer
lo302.cry1.md2.yahoo.com.

Any idea what's going on here? It's as if our 7600 is inspecting this
traffic (presumably because it's not transit, it's being processed by the
CPU) and seeing something special about it. Even if the router is not
behaving correctly, why is Yahoo sending that kind of traffic to those IPs?

Frank
AS53347

Frank-

I’ll contact you directly about this.

Yes, we saw them as well:

Dec 18 10:02:00: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.102
Dec 18 08:55:18: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.2
Dec 18 08:05:30: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.4
Dec 18 07:47:35: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.19
Dec 18 07:15:34: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.38
Dec 18 07:09:59: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.100
Dec 18 06:54:57: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.22
Dec 18 06:46:54: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.17
Dec 18 06:38:24: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.35
Dec 18 06:11:09: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.101
Dec 18 05:50:20: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.35
Dec 18 05:49:23: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.7
Dec 18 05:42:18: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.33
Dec 18 05:30:41: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.8
Dec 18 05:24:58: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.21
Dec 18 03:19:04: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.18
Dec 18 05:11:08: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.8
Dec 18 05:09:08: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.33
Dec 18 04:59:50: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.49
Dec 18 04:49:09: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.35
Dec 18 04:28:32: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.52
Dec 18 02:23:25: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.101
Dec 18 04:10:48: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.38
Dec 18 03:13:41: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.36
Dec 18 02:53:18: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.20
Dec 18 02:49:16: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.51
Dec 18 02:45:59: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=66.196.91.232
Dec 18 02:42:21: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.23
Dec 18 02:33:05: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.37
Dec 18 02:30:46: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.50
Dec 18 02:23:02: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.20
Dec 18 00:57:45: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.50
Dec 17 17:06:12: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.18
Dec 17 14:45:06.899: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.34
Dec 17 16:38:03: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.37
Dec 17 16:28:13: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=203.84.212.40
Dec 17 16:24:06: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.99
Dec 17 15:14:03: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.40
Dec 17 15:06:40: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0x4CF4BE5D(1291107933) srcaddr=68.180.160.100
Dec 17 08:57:00: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0xEF7ED795(4018067349) srcaddr=68.180.160.23
Dec 17 08:25:36: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0xEF7ED795(4018067349) srcaddr=68.180.160.104
Dec 17 08:11:54: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0xEF7ED795(4018067349) srcaddr=68.180.160.19
Dec 17 07:22:22: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0xEF7ED795(4018067349) srcaddr=203.84.212.55
Dec 17 06:18:55: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0xEF7ED795(4018067349) srcaddr=68.180.160.20
Dec 17 06:14:35: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0xEF7ED795(4018067349) srcaddr=203.84.212.36
Dec 17 06:13:05: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0xEF7ED795(4018067349) srcaddr=203.84.212.17
Dec 17 05:36:24: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0xEF7ED795(4018067349) srcaddr=203.84.212.53
Dec 17 01:56:17: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0xEF7ED795(4018067349) srcaddr=68.180.160.17
Dec 17 03:27:47: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr= prot=50 spi=0xEF7ED795(4018067349) srcaddr=203.84.212.34

It should be noted that attackers will sometimes generate non-TCP/-UDP/-ICMP DDoS attack traffic which is intended to bypass ACLs, firewall rules, etc. which only take the more common protocols into account. They’ll often pick ESP (protocol 50, AH (protocol 51), or GRE (protocol 47) in order to try & masquerade the attack traffic as legitimate VPN or tunneled traffic.

And the source IPs of this attack traffic are frequently spoofed, as well.

In this case, however, what’s being seen is simply valid traffic
which was most likely erroneously redirected through an
internal encryption device.

I would hazard a guess the folks involved have already jumped
on checking the redirector rules to fix the leakage which allowed
external IPs to be passed through the internal encryption pathway.

I helped build the system that’s causing those messages, so I have
a bit of a guess as to what the issue is. I’m no longer an employee,
however, so I can’t fix the issue. But in this case, those boxes really
aren’t trying to attack you–they just aren’t supposed to be sending
traffic externally like that.

So, it actually is good to speak up about this traffic–because it’s a fixable
issue, and one that should be addressed at the source.

Thanks!

Matt
#notspeakingofficiallyforanyoneoranything

Maybe something to do with the shutdown of Yahoo Groups.

https://groups.yahoo.com/neo

Frank Whiteley