[strongSwan] DOS attack: In case of back to back IKE_SA_INIT messages from attacker strongswan unable to limit HALF_OPEN_IKE_SA to BLOCK_THRESHOLD

Ashutosh Datta ashutoshdatta at gmail.com
Mon Jul 18 14:32:54 CEST 2011


SUBJECT : DOS attack: In case of back to back IKE_SA_INIT messages from
attacker strongswan unable to LIMIT HALF_OPEN_IKE_SA to BLOCK_THRESHOLD
value configured.

I have configured the block_threshold to 2 keeping COOKIE_THRESHOLD to large
value (in order to avoid hitting that condition).
NOTE: I have restarted strongswan after changing the value in
strongswan.conf

But when I flood the strongswan 4.5.0 box with IKE_SA_INIT messages, it keep
creating IKE_SAs and is able to apply the limit only
if it gets a breather (from the burst).

charon->ike_sa_manager->get_half_open_count() is unable to return the
updated value to the calling function peer_too_aggressive()

I printed some logs and  charon->ike_sa_manager->get_half_open_count()
returns zero till the end of my burst, hence strongswan keep creating IKE_SA
and also responding to each one of them.


The same works fine in case of COOKIE_CHALLENGE as it starts at the
configured packet number.

Does this have something to do with the hash lookup for matching peer
happening in case of BLOCK_THRESHOLD

--
ashutosh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110718/cd3a5fb5/attachment.html>


More information about the Users mailing list