Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory



On Fri, 28 Jul 2006, Eloy Paris wrote:

The attack against the Internet Key Exchange (IKE) protocol described
in the NTA Monitor advisory exploits the stateless nature of the IKE
version 1 protocol. The goal of such an attack is to deplete the
resources available on a device to negotiate IKE security associations,
and block legitimate users from establishing a new security association.

"Stateless"? Wasn't it supposed to read "stateful"?

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."



Relevant Pages

  • Re: Why more than 1 hole in FW for IPSec
    ... > the user-space VPN to offload the protocol mechanics to a module. ... both implement IKE and NAT-T can be added to them. ... That still leaves implementing IPsec along with a suitable ... Perhaps we aren't thinking about the same "configuration problem" ...
    (comp.os.linux.networking)
  • Re: Why more than 1 hole in FW for IPSec
    ... > the user-space VPN to offload the protocol mechanics to a module. ... both implement IKE and NAT-T can be added to them. ... That still leaves implementing IPsec along with a suitable ... Perhaps we aren't thinking about the same "configuration problem" ...
    (comp.os.linux.security)
  • Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory
    ... Yes, the problem is due to the stateful nature of the IKEv1 protocol, which ... Most implementations will use the ISAKMP cookies ... Because IKE is normally based on the UDP transport, ... > The attack against the Internet Key Exchange protocol described ...
    (Bugtraq)
  • Re: IPsec Internal->DMZ
    ... VLM> Did you enable IKE? ... UDP 500 In: IKE Server ... Protocol 50 Out: IPSec ESP ...
    (microsoft.public.isa)
  • Re: IPsec Internal->DMZ
    ... VLM> Did you enable IKE? ... UDP 500 In: IKE Server ... Protocol 50 Out: IPSec ESP ...
    (microsoft.public.isa)