[strongSwan-dev] DoS protection questions

[Tobias Brunner]

Hi Emeric,

> Questions:
> - why is the this counter increased after the first message has successfully been handled from the job queue?

The half-open SA counter is increased whenever an IKE_SA object is
checked into the IKE_SA manager after processing (or initiating) an
IKE_SA_INIT request, and reduced when an IKE_SA is checked in after
successfully establishing it with the last IKE_AUTH request.

> - is charon.init_limit_job_load the only relevant setting for DoS protection?

No, there are several others.  The first is charon.cookie_threshold (and
charon.dos_protection), which causes COOKIEs to get returned if the
global number of half-open SAs exceeds the limit, which helps if the
IKE_SA_INITs are sent from fake IPs.  If the requests are sent from real
hosts that actually retry initiating with the returned COOKIE payload
and (if they send multiple requests) modify the nonces/KE payload the
next option is charon.block_threshold, which sets a limit for half-open
SAs per source IP.  Then the next limit is charon.init_limit_half_open,
which drops IKE_SA_INITs if the global half-open SA count exceeds a
certain number.  Similarly, the charon.init_limit_job_load option will
cause IKE_SA_INITs to get dropped if the total number of queued jobs
exceeds a certain number.  Next are options that might help processing
the queued jobs faster, e.g. using hash tables in the IKE_SA manager [1]
and optimizing thread allocation [2].

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
[2] https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority