RE: IPSEC Security Gateways & NAT

["Chen, David" <dchen@ellacoya.com>]

Derek,

The trouble is the responder can not tell
if this an attack or just lots of users behind the 
same NAT try to connect at the same time.

In addition, the DDOS can have many SIP attack at the same time.
Even throttle on a address, it does not help to prevent using
many SIP addresses attack.

For message 1 and 2, the attacker and resonder will use (appx.) equal 
resource but message 3,4 is the attacker's goal, and it still
be able do this. 

Maybe initiator's IP address need to link with auth?

--- David


-----Original Message-----
From: Derek Atkins [mailto:warlord@mit.edu]
Sent: Friday, June 15, 2001 1:02 PM
To: Chen, David
Cc: 'Dan Harkins'; ipsec@lists.tislabs.com
Subject: Re: IPSEC Security Gateways & NAT


As I said, this same attack can happen without NAT.  A (non-NAT'ed)
host can send lots of IKE messages from 'random' ports.  However they
have to be listening on each port in order to receive message 2 (with
the responder cookie) and then send off message 3 in order to cause
the responder to do any work.  NAT doesn't change the viability of
this attack.

As I said before, if the responder is being attacked in this way, you
throttle back by IP Address.

-derek

---

Follow-Ups:

• Re: IPSEC Security Gateways & NAT
• From: Derek Atkins <warlord@mit.edu>

---

• Prev by Date: Re: IPSEC Security Gateways & NAT
• Next by Date: Re: IPSEC Security Gateways & NAT
• Prev by thread: Re: IPSEC Security Gateways & NAT
• Next by thread: Re: IPSEC Security Gateways & NAT
• Index(es):
  • Main
  • Thread