Bugtraq mailing list archives

Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory

From: Roy Hills <Roy.Hills () nta-monitor com>
Date: Wed, 02 Aug 2006 09:03:11 +0100

Yes, the problem is due to the stateful nature of the IKEv1 protocol, which
means that the implementation needs to keep track of IKE requests that
are currently in progress.  Most implementations will use the ISAKMP cookies
to do this.

Because IKE is normally based on the UDP transport, which does not
itself provide state, the IKE application must maintain the state information.

As I mentioned in the advisory, this is very similar to the SYN flood
vulnerabilities which plagued many TCP/IP stacks back in 1996.

This paper that I released back in 2003 discusses a related issue,
which is how the state mechanisms of various IKE implementations
handle re-transmission of lost packets:

http://www.nta-monitor.com/posts/2003/01/udp-backoff-whitepaper.pdf

This shows that the IKE implementations are maintaining their own
state information, and the individual backoff patterns show how long each

implementation remains in the "SA sent" state before discarding thenegotiation.


Roy

At 14:50 30/07/2006, Pavel Kankovsky wrote:

On Fri, 28 Jul 2006, Eloy Paris wrote:

> The attack against the Internet Key Exchange (IKE) protocol described
> in the NTA Monitor advisory exploits the stateless nature of the IKE
> version 1 protocol. The goal of such an attack is to deplete the
> resources available on a device to negotiate IKE security associations,
> and block legitimate users from establishing a new security association.

"Stateless"? Wasn't it supposed to read "stateful"?

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."


--
Roy Hills                                    Tel:   +44 1634 721855
NTA Monitor Ltd                              FAX:   +44 1634 721844
14 Ashford House, Beaufort Court,
Medway City Estate,                          Email: Roy.Hills () nta-monitor com

Rochester, Kent ME2 4FA, UK WWW: http://www.nta-monitor.com/

Current thread:

Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory Roy Hills (Aug 02)
- <Possible follow-ups>
- Re: Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory henry . sieff (Aug 11)
  - RE: Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory Lance Seelbach (Aug 14)
    - Re: Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory Henry Sieff (Aug 11)