Bugtraq mailing list archives
Re: UDP DoS attack in Win2k via IKE
From: Darren Reed <avalon () cairo anu edu au>
Date: Sat, 8 Dec 2001 17:47:13 +1100 (Australia/NSW)
In some mail from c0redump, sie said:
UDP DoS in Win2k via IKE PROBLEM ======= A DoS attack can be carried out on Win2k machines running IKE (internet key exchange) by sending flooding IKE with UDP packets. This can cause the machine to lock up and render 99% of the CPU. EXPLOIT ====== Connect to port 500 (IKE) of the Win2k box and start sending UDP packets of more than 800 bytes continuously. The box will eventually stop responding and services will be denied due to 99% CPU usage from the packets. SOLUTION ======= Firewall port 500 off if IPSsec is not in use.
The solution should be: Disable the "IPsec policy agent" service if IPsec is not in use. (Makes you wonder why it was on in the first place, especially if no IPSec policies have been assigned but I digress...) But what about if you are using IPsec ? Some questions. Did you try and measure the minimum packet rate required to keep it at 99% CPU? How fast the victim CPU is would also be worth mentioning with this. Do you need to send packets to the IKE server that look like IKE packets or does any random garbage suffice? Have you tried targetting other platforms which have daemons which handle IKE ? If so, did they behave any differently when under load like this ? Because of the crypto involved, this sounds very similar to the problem described in the paper presented at Usenix Security 2001 on DoS attacks against secure web servers (I think 6 clients are required to make an https server practically unusable). I wonder if a similar solution is worthwhile... Darren
Current thread:
- UDP DoS attack in Win2k via IKE c0redump (Dec 07)
- Re: UDP DoS attack in Win2k via IKE Darren Reed (Dec 08)
- Re: UDP DoS attack in Win2k via IKE Marcelo Bartsch (Dec 12)
- Re: UDP DoS attack in Win2k via IKE Emre Yildirim (Dec 12)
- <Possible follow-ups>
- UDP DoS attack in Win2k via IKE c0redump (Dec 11)