SUBJECT : DOS attack: In case of back to back IKE_SA_INIT messages from attacker strongswan unable to LIMIT HALF_OPEN_IKE_SA to BLOCK_THRESHOLD value configured.
I have configured the block_threshold to 2 keeping COOKIE_THRESHOLD to large value (in order to avoid hitting that condition). NOTE: I have restarted strongswan after changing the value in strongswan.conf But when I flood the strongswan 4.5.0 box with IKE_SA_INIT messages, it keep creating IKE_SAs and is able to apply the limit only if it gets a breather (from the burst). charon->ike_sa_manager->get_half_open_count() is unable to return the updated value to the calling function peer_too_aggressive() I printed some logs and charon->ike_sa_manager->get_half_open_count() returns zero till the end of my burst, hence strongswan keep creating IKE_SA and also responding to each one of them. The same works fine in case of COOKIE_CHALLENGE as it starts at the configured packet number. Does this have something to do with the hash lookup for matching peer happening in case of BLOCK_THRESHOLD -- ashutosh
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
