|Main Archive Page > Month Archives > ipsec archives|
The cookie mechanism is far from useless. Given a fixed amount of "attacking resources", you can mount a far greater volume of spoofed- IP attacks than you can legitimate IP address attacks. Enforcing a return IP address also makes features like "only 3 half-open SAs from a single IP address" more feasible.
I think hash cookies are the best way to get something that scales well enough to defeat DDoS attacks.
On Nov 29, 2007, at 12:54 AM, Hisyam F. wrote:
> Hi Yoav,
> Thanks for the reply. Since the attack from legitimate node(s) is
> feasible, I agree on your statement that each individual (recepient)
> should implements defensive mechanism against such attack.
> Nevertheless, I would like to ask your opinion regarding the IKEv2
> message exchange. As stated in your previous reply, there were
> several works have been done in combating DoS i.e., HASH cookie
> mechanism etc. It seems that in order to defeat DoS attack, each
> technique in literature suggests the initiator to authenticate him/
> herself (prove the identity) to the respective responder by
> returning the correct cookie. However, I think that this
> verification method is efficient to certain degrees subject to the
> assumption that an attack is mounted from malicious attacker with
> spoofed ID. Since this is not applicable to DDoS as each nodes can
> have legitimate ID, does it means it is impossible (I hope not) for
> us to propose a better approach for IKEv2?
> ----- Original Message ----
> From: Yoav Nir <email@example.com>
> To: Hisyam F. <firstname.lastname@example.org>; email@example.com
> Sent: Thursday, 29 November, 2007 12:53:14 AM
> Subject: Re: [IPsec] IKEv2 - possible attack from legitimate node(s)?
> Hi Hisyam.
> An attack like this is very feasible, and the IKEv2 protocol does
> not have any protection against it. Individual implementations could
> have some protections, such as limiting the amount of half-open SAs
> from a particular IP address, or limiting the amount of IKE SAs from
> a particular peer.
> Years ago, there were some proposals for securing against a DoS
> attack by, for example replacing the cookie with a hash of the
> cookie and a partial pre-image (say, all the cookie save the last 32
> bits). This would force the client to brute-force the cookie
> (taking on average 2^31 hash operations), by levying a 1-CPU-second
> "tax" on each connecting client. This proposal died, I think
> because of all kinds of patents surrounding such technology.
> On Nov 27, 2007, at 6:07 AM, Hisyam F. wrote:
>> I'm relatively new to IPsec. I would like to ask regarding the DoS
>> protection in IPsec. Based on the IKEv2 standard, there is an anti-
>> clogging mechanism via "cookie" notification in Notify payload
>> which prevent DoS attack on message echange (i.e.,phase 1). It
>> seems that the DoS attack is assumed to have or mounted from spoof
>> IP address.
>> In that sense, I would like to know whether IPsec (especially the
>> IKEv2) contains any protection from legitimate node(s) (as an
>> example DDoS)? In addition, is this type of attack feasible on IKEv2?
>> For ideas on reducing your carbon footprint visit Yahoo! For Good
>> this month.
>> Scanned by Check Point Total Security Gateway.
>> IPsec mailing list
> For ideas on reducing your carbon footprint visit Yahoo! For Good
> this month.
> Scanned by Check Point Total Security Gateway.