[strongSwan-dev] DoS protection questions
emeric.poupon at stormshield.eu
Wed Apr 4 10:33:45 CEST 2018
>> - is charon.init_limit_job_load the only relevant setting for DoS protection?
> No, there are several others. The first is charon.cookie_threshold (and
> global number of half-open SAs exceeds the limit, which helps if the
> IKE_SA_INITs are sent from fake IPs. If the requests are sent from real
> hosts that actually retry initiating with the returned COOKIE payload
> and (if they send multiple requests) modify the nonces/KE payload the
> next option is charon.block_threshold, which sets a limit for half-open
> SAs per source IP. Then the next limit is charon.init_limit_half_open,
> which drops IKE_SA_INITs if the global half-open SA count exceeds a
> certain number. Similarly, the charon.init_limit_job_load option will
> cause IKE_SA_INITs to get dropped if the total number of queued jobs
> exceeds a certain number. Next are options that might help processing
> the queued jobs faster, e.g. using hash tables in the IKE_SA manager 
> and optimizing thread allocation .
>  https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
>  https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
Thanks for your answer.
I know these settings and they look promising. Unfortunately as I said before they seem to be useless since the counter is increased too late in the IKE_SA manager.
We simulated a DoS attack and charon did not handle it well (see the logs in the initial question).
What do you think?
More information about the Dev