[strongSwan] DOS attack: In case of back to back IKE_SA_INIT messages from attacker strongswan unable to limit HALF_OPEN_IKE_SA to BLOCK_THRESHOLD

Martin Willi martin at strongswan.org
Mon Jul 25 13:49:09 CEST 2011


> I have configured the block_threshold to 2 keeping COOKIE_THRESHOLD to
> large value (in order to avoid hitting that condition).

I don't think it makes a lot of sense to use block_threshold without
cookie_threshold. The cookie mechanism makes sure that a DoS attacker
can't create state on the server with a faked sender IP addresses. The
block_threshold limits the number of connections once the address has
been verified. The block_threshold is useless without cookie_threshold,
as an attacker can use faked source addresses that are not covered by
the block_threshold mechanism.

If you want to limit legitimate connection attempts to a certain level,
you might have a look at IKE_SA_INIT dropping [1] that we'll introduce
with the next release.



More information about the Users mailing list