[strongSwan-dev] DoS protection questions

[Emeric POUPON]

Hello,

As far as I understand, IKE_SAs are only registered as half-open after the first message has successfully been handled from the job queue.

If we are under a DoS attack (even a small one like 320 packets/s), we end up with a huge amount of jobs in queue and the system takes hours to recover, that is definitely questionable.

Example:
 "2018-02-06 16:14:09" zone=GMT tz=+0000 ntp=Off
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
"2018-02-06 16:14:19" zone=GMT tz=+0000 ntp=Off
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
"2018-02-06 16:14:29" zone=GMT tz=+0000 ntp=Off
  worker threads: 0 of 16 idle, 5/0/11/0 working, job queue: 0/0/221/0, scheduled: 3
"2018-02-06 16:14:39" zone=GMT tz=+0000 ntp=Off
  worker threads: 0 of 16 idle, 5/0/11/0 working, job queue: 0/0/3102/0, scheduled: 2
"2018-02-06 16:14:49" zone=GMT tz=+0000 ntp=Off
  worker threads: 0 of 16 idle, 5/0/11/0 working, job queue: 0/0/7137/0, scheduled: 2
...
 "2018-02-06 16:25:47" zone=GMT tz=+0000 ntp=Off
  worker threads: 0 of 16 idle, 5/0/11/0 working, job queue: 0/0/122518/0, scheduled: 2
"2018-02-06 16:25:58" zone=GMT tz=+0000 ntp=Off
  worker threads: 0 of 16 idle, 5/0/11/0 working, job queue: 0/0/123698/0, scheduled: 2

Even if charon.block_threshold is set to 5, each time we successfully establish an IKE SA, we can queue a huge amount of pending jobs until the next IKE_SA_INIT is processed to increase the half-open counter.

Questions:
- why is the this counter increased after the first message has successfully been handled from the job queue?
- is charon.init_limit_job_load the only relevant setting for DoS protection?

Regards,

Emeric