[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
On Mon, Jan 31, 2000 at 07:16:32AM -0600, Mike Borella wrote:
> Can anybody provide a description of or a pointer to this attack?
One pointer that was provided to me is this paper:
http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/06/msg00319.html
It's not the most objective paper that I've read (hostile and
political are two terms that come immediately to mind), but it does
contain the source to "cookie_crumb". The source takes a little effort
to get to work. You have to change some port numbers and (if you are not
on BSD) change a function call from arc4random to random. Once it's
compiled for the correct port number (500 instead of 5000), it's
pretty effective at knocking IKE on its butt. It doesn't seem to be
as bad as the original author made it out to be. I didn't see any
of the "100% CPU utilization" reported by the author and as soon as
the attack stops the system recovers. It doesn't seem to radically slow
the operating system itself, beyond sucking up some significant bandwidth,
but it does shut down your ability to key or rekey. This was Pluto on
Linux that I was initially testing against. I'm going after other
implimentations next and looking at some of the other issues raised
in this paper.
> -Mike
[...]
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
References: