Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory
Yes, the problem is due to the stateful nature of the IKEv1 protocol, which
means that the implementation needs to keep track of IKE requests that
are currently in progress. Most implementations will use the ISAKMP cookies
to do this.
Because IKE is normally based on the UDP transport, which does not
itself provide state, the IKE application must maintain the state information.
As I mentioned in the advisory, this is very similar to the SYN flood
vulnerabilities which plagued many TCP/IP stacks back in 1996.
This paper that I released back in 2003 discusses a related issue,
which is how the state mechanisms of various IKE implementations
handle re-transmission of lost packets:
http://www.nta-monitor.com/posts/2003/01/udp-backoff-whitepaper.pdf
This shows that the IKE implementations are maintaining their own
state information, and the individual backoff patterns show how long each
implementation remains in the "SA sent" state before discarding the
negotiation.
Roy
At 14:50 30/07/2006, Pavel Kankovsky wrote:
On Fri, 28 Jul 2006, Eloy Paris wrote:
> The attack against the Internet Key Exchange (IKE) protocol described
> in the NTA Monitor advisory exploits the stateless nature of the IKE
> version 1 protocol. The goal of such an attack is to deplete the
> resources available on a device to negotiate IKE security associations,
> and block legitimate users from establishing a new security association.
"Stateless"? Wasn't it supposed to read "stateful"?
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
--
Roy Hills Tel: +44 1634 721855
NTA Monitor Ltd FAX: +44 1634 721844
14 Ashford House, Beaufort Court,
Medway City Estate, Email: Roy.Hills@xxxxxxxxxxxxxxx
Rochester, Kent ME2 4FA, UK WWW: http://www.nta-monitor.com/