[strongSwan-dev] DoS protection questions

Emeric POUPON emeric.poupon at stormshield.eu
Wed Apr 4 10:33:45 CEST 2018

>> - is charon.init_limit_job_load the only relevant setting for DoS protection?
> No, there are several others.  The first is charon.cookie_threshold (and
> charon.dos_protection), which causes COOKIEs to get returned if the
> global number of half-open SAs exceeds the limit, which helps if the
> IKE_SA_INITs are sent from fake IPs.  If the requests are sent from real
> hosts that actually retry initiating with the returned COOKIE payload
> and (if they send multiple requests) modify the nonces/KE payload the
> next option is charon.block_threshold, which sets a limit for half-open
> SAs per source IP.  Then the next limit is charon.init_limit_half_open,
> which drops IKE_SA_INITs if the global half-open SA count exceeds a
> certain number.  Similarly, the charon.init_limit_job_load option will
> cause IKE_SA_INITs to get dropped if the total number of queued jobs
> exceeds a certain number.  Next are options that might help processing
> the queued jobs faster, e.g. using hash tables in the IKE_SA manager [1]
> and optimizing thread allocation [2].
> Regards,
> Tobias
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
> [2] https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority


Thanks for your answer.
I know these settings and they look promising. Unfortunately as I said before they seem to be useless since the counter is increased too late in the IKE_SA manager.
We simulated a DoS attack and charon did not handle it well (see the logs in the initial question).

What do you think?


More information about the Dev mailing list