Re: UDP DoS attack in Win2k via IKE

[Darren Reed <avalon () cairo anu edu au>]

In some mail from c0redump, sie said:
> UDP DoS in Win2k via IKE
>
> PROBLEM
> =======
> A DoS attack can be carried out on Win2k machines running IKE (internet key
> exchange) by sending flooding IKE with UDP packets.  This can cause the
> machine to lock up and render 99% of the CPU.
>
> EXPLOIT
> ======
> Connect to port 500 (IKE) of the Win2k box and start sending UDP packets of
> more than 800 bytes continuously.  The box will eventually stop responding
> and services will be denied due to 99% CPU usage from the packets.
>
> SOLUTION
> =======
> Firewall port 500 off if IPSsec is not in use.

The solution should be:
Disable the "IPsec policy agent" service if IPsec is not in use.
(Makes you wonder why it was on in the first place, especially if no IPSec
policies have been assigned but I digress...)

But what about if you are using IPsec ?

Some questions.

Did you try and measure the minimum packet rate required to keep it at
99% CPU?  How fast the victim CPU is would also be worth mentioning with
this.

Do you need to send packets to the IKE server that look like IKE packets
or does any random garbage suffice?

Have you tried targetting other platforms which have daemons which handle
IKE ?  If so, did they behave any differently when under load like this ?

Because of the crypto involved, this sounds very similar to the problem
described in the paper presented at Usenix Security 2001 on DoS attacks
against secure web servers (I think 6 clients are required to make an
https server practically unusable).  I wonder if a similar solution is
worthwhile...

Darren