[strongSwan] DOS attack: In case of back to back IKE_SA_INIT messages from attacker strongswan unable to limit HALF_OPEN_IKE_SA to BLOCK_THRESHOLD
ashutoshdatta at gmail.com
Mon Jul 18 14:32:54 CEST 2011
SUBJECT : DOS attack: In case of back to back IKE_SA_INIT messages from
attacker strongswan unable to LIMIT HALF_OPEN_IKE_SA to BLOCK_THRESHOLD
I have configured the block_threshold to 2 keeping COOKIE_THRESHOLD to large
value (in order to avoid hitting that condition).
NOTE: I have restarted strongswan after changing the value in
But when I flood the strongswan 4.5.0 box with IKE_SA_INIT messages, it keep
creating IKE_SAs and is able to apply the limit only
if it gets a breather (from the burst).
charon->ike_sa_manager->get_half_open_count() is unable to return the
updated value to the calling function peer_too_aggressive()
I printed some logs and charon->ike_sa_manager->get_half_open_count()
returns zero till the end of my burst, hence strongswan keep creating IKE_SA
and also responding to each one of them.
The same works fine in case of COOKIE_CHALLENGE as it starts at the
configured packet number.
Does this have something to do with the hash lookup for matching peer
happening in case of BLOCK_THRESHOLD
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users