Bugtraq mailing list archives
Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory
From: Roy Hills <Roy.Hills () nta-monitor com>
Date: Wed, 02 Aug 2006 09:03:11 +0100
Yes, the problem is due to the stateful nature of the IKEv1 protocol, which means that the implementation needs to keep track of IKE requests that are currently in progress. Most implementations will use the ISAKMP cookies to do this. Because IKE is normally based on the UDP transport, which does not itself provide state, the IKE application must maintain the state information. As I mentioned in the advisory, this is very similar to the SYN flood vulnerabilities which plagued many TCP/IP stacks back in 1996. This paper that I released back in 2003 discusses a related issue, which is how the state mechanisms of various IKE implementations handle re-transmission of lost packets: http://www.nta-monitor.com/posts/2003/01/udp-backoff-whitepaper.pdf This shows that the IKE implementations are maintaining their own state information, and the individual backoff patterns show how long eachimplementation remains in the "SA sent" state before discarding the negotiation.
Roy At 14:50 30/07/2006, Pavel Kankovsky wrote:
On Fri, 28 Jul 2006, Eloy Paris wrote: > The attack against the Internet Key Exchange (IKE) protocol described > in the NTA Monitor advisory exploits the stateless nature of the IKE > version 1 protocol. The goal of such an attack is to deplete the > resources available on a device to negotiate IKE security associations, > and block legitimate users from establishing a new security association. "Stateless"? Wasn't it supposed to read "stateful"? --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
-- Roy Hills Tel: +44 1634 721855 NTA Monitor Ltd FAX: +44 1634 721844 14 Ashford House, Beaufort Court, Medway City Estate, Email: Roy.Hills () nta-monitor comRochester, Kent ME2 4FA, UK WWW: http://www.nta-monitor.com/
Current thread:
- Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory Roy Hills (Aug 02)
- <Possible follow-ups>
- Re: Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory henry . sieff (Aug 11)
- RE: Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory Lance Seelbach (Aug 14)
- Re: Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory Henry Sieff (Aug 11)
- RE: Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory Lance Seelbach (Aug 14)