[strongSwan-dev] DoS protection questions

Tobias Brunner tobias at strongswan.org
Wed Apr 4 11:12:50 CEST 2018

> I know these settings and they look promising.

Why not use them then?

> Unfortunately as I said before they seem to be useless since the counter is increased too late in the IKE_SA manager.

Yeah, I noticed that it's quite late.  Since strongSwan calculates the
IKE keys while processing the IKE_SA_INIT request (and not e.g. when
processing the IKE_AUTH request) it might be better to increase this
counter when the IKE_SA is checked out.  But even so I guess there could
be lots of packets queued initially until a number of them have been
processed to increase the half-open SA count.  I suppose you could
counter that by some rate limiting in the firewall (e.g. only allow a
few UDP packet/s per source IP).  We currently also don't recheck the
limits when processing queued packets (they are only checked early in
the receiver before they get queued).

> We simulated a DoS attack and charon did not handle it well (see the logs in the initial question).

How exactly?  And what settings did you use on the responder?  (I saw
that there are e.g. only 16 threads and I guess you didn't set a job limit.)


More information about the Dev mailing list