[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: some issues about IPSec
A different approach would be to transmit an Informational message that would
disrupt a current exchange. This would only require the ability to monitor for an
ISAKMP/Oakley exchange and insert the Informational message (created from
the monitored data) at the appopriate time. In other words, no need to reveal
your
IP address.
Theodore Y. Ts'o wrote:
> Date: Mon, 26 Jan 1998 12:41:57 -0800
> From: Daniel Harkins <dharkins@cisco.com>
>
> Since the responder won't begin exponentiation until receipt of the 2nd
> message (which contains his cookie which he passed in the 1st) he at least
> knows there's a peer at a particular IP address which "speaks" ISAKMP.
> Therefore the SGW won't do the actual exponentiation if barraged with
> hundreds of ISAKMP packets with spoofed source addresses. The attacker
> has to receive the 1st response from the SGW and reply properly to get
> the SGW to exponentiate. It might be easy to track down such an attacker
> in this situation.
>
> Just to amplify a particular point which Dan made here. The key here is
> that it's much harder to do a denial of service attack without revealing
> your IP address, which presumably would make it much easier to trace
> things back to you. At this point, one can use out-of-band methods of
> security enforcement. :-)
>
> - Ted
--
David W. Faucher
Lucent Technologies - Bell Labs
dfaucher@lucent.com
(515) 747-8617
References: