[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC Security Gateways & NAT

To: "Chen, David" <dchen@ellacoya.com>
Subject: Re: IPSEC Security Gateways & NAT
From: Derek Atkins <warlord@mit.edu>
Date: 15 Jun 2001 13:01:48 -0400
Cc: "'Dan Harkins'" <dharkins@lounge.org>, ipsec@lists.tislabs.com
In-Reply-To: "Chen, David"'s message of "Fri, 15 Jun 2001 12:52:32 -0400"
References: <85D31AAF3DFCD4119C44000102C009707DD775@mail.ellacoya.com>
Sender: owner-ipsec@lists.tislabs.com

As I said, this same attack can happen without NAT.  A (non-NAT'ed)
host can send lots of IKE messages from 'random' ports.  However they
have to be listening on each port in order to receive message 2 (with
the responder cookie) and then send off message 3 in order to cause
the responder to do any work.  NAT doesn't change the viability of
this attack.

As I said before, if the responder is being attacked in this way, you
throttle back by IP Address.

-derek

"Chen, David" <dchen@ellacoya.com> writes:

> Derek,
> 
> What I mean is, in order to traverse NAT, the responder has
> to respond a potential attacker that (may not behind NAT)
> initiates lots of (different) message1 and 3 by using only one
> SIP and different source port number.
> After this, 
> the attacker still get the responder busy at DH key generation? (message 4)
> 
> Regards,
> 
> --- David
> 
> -----Original Message-----
> From: Derek Atkins [mailto:warlord@MIT.EDU]
> Sent: Friday, June 15, 2001 12:25 PM
> To: Chen, David
> Cc: 'Dan Harkins'; ipsec@lists.tislabs.com
> Subject: Re: IPSEC Security Gateways & NAT
> 
> 
> "Chen, David" <dchen@ellacoya.com> writes:
> 
> > Derek,
> > 
> > Consider the case: 
> > host<->NAT-WG<==>SG (responder)
> > 
> > 
> > The NAT device changes all the SourceIP address to its own
> > visible SrouceIP address.
> 
> Yes, but each host behind the NAT device will have a unique port
> number on the NAT device..  Let's say we have:
> 
>  host1\
>  host2 +-<=> NAT <=> SG (responder)
>  host3/
> 
> The SG will still see three unique addr/port pairs (because the NAT
> box will map host1/500 to NAT_ext/port1, host2/500 to NAT_ext/port2,
> etc).  So the SG can still assign cookies individually.
> 
> > Since it is possible have several hosts are IKE initiator,
> > it seems the IKE has to accept as many as messages
> > the initiator sent with the same SIP address.
> 
> No, because the responder should generate a cookie based upon the
> source ip address _AND PORT_ obtained in message 1 (indeed, it could
> also be based on the initiator cookie, but that doesn't buy the
> responder much).  As I just pointed out, the responder can still
> uniquely identify the individual initiators behind the NAT gateway
> based upon the unique port numbers.  So an attacker would still have
> to present the correct cookie in message 3 based upon the port number
> the NAT box gives it.
> 
> > The DOS attacker can using the same IP address and
> > sending lots of 1 and 3 IKE messages to
> > SG (with *HDR* variations)?
> 
> If an attack exists here, NAT doesn't help (or hurt).  If an initiator
> can send multiple message-3 requests based on a single message-1
> cookie, then such an attack exists regardless of whether or not NAT is
> being used.  There is a simple remedy to this attack:
> 
> 	a) base the responder cookie on:
> 		i) the source ip address
> 		ii) the source port
> 		iii) the initiator cookie
> 	b) cache the message 4 response to message 3
> 
> Then if you get a 'duplicate' message 3 (where 'duplicate' means same
> same initiator/responder cookies) and the responder cookie verifies,
> the responder need only re-send the message 4 response without any
> additional work.  Similarly, if the responder cookie does not verify,
> then something changed and the message can be dropped summarily.
> 
> Using NAT doesn't change this behavior, and it still works fine.
> Indeed, this protection mechanism will still work, too.
> 
> The only problem you have with NAT (in terms of DoS attacks) is that
> if one host is spewing tons of message-1's to a SG, you cannot figure
> out that it is host2 vs. host1, so you have to throttle ALL hosts
> behind the NAT box.
> 
> > Regards,
> > 
> > --- David
> 
> -derek
> 
> -- 
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

References:

RE: IPSEC Security Gateways & NAT

From: "Chen, David" <dchen@ellacoya.com>

Prev by Date: RE: IPSEC Security Gateways & NAT
Next by Date: RE: IPSEC Security Gateways & NAT
Prev by thread: RE: IPSEC Security Gateways & NAT
Next by thread: RE: IPSEC Security Gateways & NAT
Index(es):
- Main
- Thread