SUBJECT : DOS attack: In case of back to back IKE_SA_INIT messages from attacker strongswan unable to LIMIT HALF_OPEN_IKE_SA to BLOCK_THRESHOLD value configured.<br><br>I have configured the block_threshold to 2 keeping COOKIE_THRESHOLD to large value (in order to avoid hitting that condition).<br>
NOTE: I have restarted strongswan after changing the value in strongswan.conf<br><br>But when I flood the strongswan 4.5.0 box with IKE_SA_INIT messages, it keep creating IKE_SAs and is able to apply the limit only<br>if it gets a breather (from the burst).<br>
<br>charon->ike_sa_manager->get_half_open_count() is unable to return the updated value to the calling function peer_too_aggressive()<br><br>I printed some logs and charon->ike_sa_manager->get_half_open_count() returns zero till the end of my burst, hence strongswan keep creating IKE_SA and also responding to each one of them.<br>
<br><br>The same works fine in case of COOKIE_CHALLENGE as it starts at the configured packet number. <br><br>Does this have something to do with the hash lookup for matching peer happening in case of BLOCK_THRESHOLD<br><br>
--<br>ashutosh<br>