>> - is charon.init_limit_job_load the only relevant setting for DoS protection? > > No, there are several others. The first is charon.cookie_threshold (and > charon.dos_protection), which causes COOKIEs to get returned if the > global number of half-open SAs exceeds the limit, which helps if the > IKE_SA_INITs are sent from fake IPs. If the requests are sent from real > hosts that actually retry initiating with the returned COOKIE payload > and (if they send multiple requests) modify the nonces/KE payload the > next option is charon.block_threshold, which sets a limit for half-open > SAs per source IP. Then the next limit is charon.init_limit_half_open, > which drops IKE_SA_INITs if the global half-open SA count exceeds a > certain number. Similarly, the charon.init_limit_job_load option will > cause IKE_SA_INITs to get dropped if the total number of queued jobs > exceeds a certain number. Next are options that might help processing > the queued jobs faster, e.g. using hash tables in the IKE_SA manager [1] > and optimizing thread allocation [2]. > > Regards, > Tobias > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable > [2] https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
Hello, Thanks for your answer. I know these settings and they look promising. Unfortunately as I said before they seem to be useless since the counter is increased too late in the IKE_SA manager. We simulated a DoS attack and charon did not handle it well (see the logs in the initial question). What do you think? Emeric
