In some mail from c0redump, sie said: > > UDP DoS in Win2k via IKE > > PROBLEM > ======= > A DoS attack can be carried out on Win2k machines running IKE (internet key > exchange) by sending flooding IKE with UDP packets. This can cause the > machine to lock up and render 99% of the CPU. > > EXPLOIT > ====== > Connect to port 500 (IKE) of the Win2k box and start sending UDP packets of > more than 800 bytes continuously. The box will eventually stop responding > and services will be denied due to 99% CPU usage from the packets. > > SOLUTION > ======= > Firewall port 500 off if IPSsec is not in use. The solution should be: Disable the "IPsec policy agent" service if IPsec is not in use. (Makes you wonder why it was on in the first place, especially if no IPSec policies have been assigned but I digress...) But what about if you are using IPsec ? Some questions. Did you try and measure the minimum packet rate required to keep it at 99% CPU? How fast the victim CPU is would also be worth mentioning with this. Do you need to send packets to the IKE server that look like IKE packets or does any random garbage suffice? Have you tried targetting other platforms which have daemons which handle IKE ? If so, did they behave any differently when under load like this ? Because of the crypto involved, this sounds very similar to the problem described in the paper presented at Usenix Security 2001 on DoS attacks against secure web servers (I think 6 clients are required to make an https server practically unusable). I wonder if a similar solution is worthwhile... Darren
This archive was generated by hypermail 2b30 : Sat Dec 08 2001 - 01:58:15 PST