[strongSwan] DOS attack: In case of back to back IKE_SA_INIT messages from attacker strongswan unable to limit HALF_OPEN_IKE_SA to BLOCK_THRESHOLD
Martin Willi
martin at strongswan.org
Mon Jul 25 13:49:09 CEST 2011
Hi,
> I have configured the block_threshold to 2 keeping COOKIE_THRESHOLD to
> large value (in order to avoid hitting that condition).
I don't think it makes a lot of sense to use block_threshold without
cookie_threshold. The cookie mechanism makes sure that a DoS attacker
can't create state on the server with a faked sender IP addresses. The
block_threshold limits the number of connections once the address has
been verified. The block_threshold is useless without cookie_threshold,
as an attacker can use faked source addresses that are not covered by
the block_threshold mechanism.
If you want to limit legitimate connection attempts to a certain level,
you might have a look at IKE_SA_INIT dropping [1] that we'll introduce
with the next release.
Regards
Martin
[1]http://wiki.strongswan.org/projects/strongswan/wiki/JobPriority#IKE_SA_INIT-dropping
More information about the Users
mailing list