[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC Security Gateways & NAT
As I said, this same attack can happen without NAT. A (non-NAT'ed)
host can send lots of IKE messages from 'random' ports. However they
have to be listening on each port in order to receive message 2 (with
the responder cookie) and then send off message 3 in order to cause
the responder to do any work. NAT doesn't change the viability of
this attack.
As I said before, if the responder is being attacked in this way, you
throttle back by IP Address.
-derek
"Chen, David" <dchen@ellacoya.com> writes:
> Derek,
>
> What I mean is, in order to traverse NAT, the responder has
> to respond a potential attacker that (may not behind NAT)
> initiates lots of (different) message1 and 3 by using only one
> SIP and different source port number.
> After this,
> the attacker still get the responder busy at DH key generation? (message 4)
>
> Regards,
>
> --- David
>
> -----Original Message-----
> From: Derek Atkins [mailto:warlord@MIT.EDU]
> Sent: Friday, June 15, 2001 12:25 PM
> To: Chen, David
> Cc: 'Dan Harkins'; ipsec@lists.tislabs.com
> Subject: Re: IPSEC Security Gateways & NAT
>
>
> "Chen, David" <dchen@ellacoya.com> writes:
>
> > Derek,
> >
> > Consider the case:
> > host<->NAT-WG<==>SG (responder)
> >
> >
> > The NAT device changes all the SourceIP address to its own
> > visible SrouceIP address.
>
> Yes, but each host behind the NAT device will have a unique port
> number on the NAT device.. Let's say we have:
>
> host1\
> host2 +-<=> NAT <=> SG (responder)
> host3/
>
> The SG will still see three unique addr/port pairs (because the NAT
> box will map host1/500 to NAT_ext/port1, host2/500 to NAT_ext/port2,
> etc). So the SG can still assign cookies individually.
>
> > Since it is possible have several hosts are IKE initiator,
> > it seems the IKE has to accept as many as messages
> > the initiator sent with the same SIP address.
>
> No, because the responder should generate a cookie based upon the
> source ip address _AND PORT_ obtained in message 1 (indeed, it could
> also be based on the initiator cookie, but that doesn't buy the
> responder much). As I just pointed out, the responder can still
> uniquely identify the individual initiators behind the NAT gateway
> based upon the unique port numbers. So an attacker would still have
> to present the correct cookie in message 3 based upon the port number
> the NAT box gives it.
>
> > The DOS attacker can using the same IP address and
> > sending lots of 1 and 3 IKE messages to
> > SG (with *HDR* variations)?
>
> If an attack exists here, NAT doesn't help (or hurt). If an initiator
> can send multiple message-3 requests based on a single message-1
> cookie, then such an attack exists regardless of whether or not NAT is
> being used. There is a simple remedy to this attack:
>
> a) base the responder cookie on:
> i) the source ip address
> ii) the source port
> iii) the initiator cookie
> b) cache the message 4 response to message 3
>
> Then if you get a 'duplicate' message 3 (where 'duplicate' means same
> same initiator/responder cookies) and the responder cookie verifies,
> the responder need only re-send the message 4 response without any
> additional work. Similarly, if the responder cookie does not verify,
> then something changed and the message can be dropped summarily.
>
> Using NAT doesn't change this behavior, and it still works fine.
> Indeed, this protection mechanism will still work, too.
>
> The only problem you have with NAT (in terms of DoS attacks) is that
> if one host is spewing tons of message-1's to a SG, you cannot figure
> out that it is host2 vs. host1, so you have to throttle ALL hosts
> behind the NAT box.
>
> > Regards,
> >
> > --- David
>
> -derek
>
> --
> Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> Member, MIT Student Information Processing Board (SIPB)
> URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> warlord@MIT.EDU PGP key available
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
References: