EC-Council
312-50V10 · Question #621
312-50V10 Question #621: Real Exam Question with Answer & Explanation
The correct answer is D: The attacker is trying to determine the type of VPN implementation and checking for IPSec. UDP/TCP port 500 is used exclusively by IKE (Internet Key Exchange) for IPSec VPN negotiation, so scanning it across multiple hosts is reconnaissance to identify VPN gateways.
Question
Neil notices that a single address is generating traffic from its port 500 to port 500 of several other machines on the network. This scan is eating up most of the network bandwidth and Neil is concerned. As a security professional, what would you infer from this scan?
Options
- AIt is a network fault and the originating machine is in a network loop
- BIt is a worm that is malfunctioning or hardcoded to scan on port 500
- CThe attacker is trying to detect machines on the network which have SSL enabled
- DThe attacker is trying to determine the type of VPN implementation and checking for IPSec
Explanation
UDP/TCP port 500 is used exclusively by IKE (Internet Key Exchange) for IPSec VPN negotiation, so scanning it across multiple hosts is reconnaissance to identify VPN gateways.
Common mistakes.
- A. A network loop causes broadcast storms and spanning-tree issues, not deliberate port 500 unicast traffic directed at multiple specific hosts.
- B. Malware typically scans common vulnerability ports or random high ports; hardcoding port 500 without context would be unusual and misses the IKE-specific significance of that port.
- C. SSL/TLS uses port 443 for HTTPS, not port 500; port 500 has no association with SSL detection.
Concept tested. IKE port 500 IPSec VPN gateway reconnaissance
Community Discussion
No community discussion yet for this question.