Microsoft IKE DoS... source port 500?

From: Abe L. Getchell (abegetchellat_private)
Date: Sat Dec 29 2001 - 15:26:14 PST

Next message: gaksamit2at_private: "Re: BitchX Segmentation Fault"

Previous message: Gabriel A. Maggiotti: "malformed sql queries"
Next in thread: Crist J. Clark: "Re: Microsoft IKE DoS... source port 500?"
Reply: Crist J. Clark: "Re: Microsoft IKE DoS... source port 500?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings all!

Over the holidays I wrote some code, for testing purposes, to exploit
the DoS recently found in Microsoft's IKE implementation.  Because of a
simple coding error, the packets I was generating had a source port of
1024, _not_ a source port of 500 which is always associated with IKE
traffic.  The code, however, was still effective in causing a DoS
condition on the target machine.  I fixed the error, but this got me
thinking.  Everything I've read in documentation and experienced on
production networks IKE packets always have a source port of 500.  So
why was Microsoft's IKE implementation happily accepting packets that
didn't?  Shouldn't this be one of the first things on the list to be
checked before a packet is processed?

All of the packet captures, books, research papers, reference
information, newsgroup and mailinglist postings I went through
referenced IKE packets having a source port of 500.  Thinking back, all
of the products I've worked with that specifically dealt with IKE
traffic categorized this type of traffic by stating it would have a
destination _and_ source port of 500.  This further deepened my
curiosity as to why Microsoft's implementation would process these
packets.

Deciding to go right to the source, I referred to the ISAKMP RFC:

(from http://www.ietf.org/rfc/rfc2408.txt)

2.5.1 Transport Protocol

   ISAKMP can be implemented over any transport protocol or over IP
   itself.  Implementations MUST include send and receive capability for
   ISAKMP using the User Datagram Protocol (UDP) on port 500.  UDP Port
   500 has been assigned to ISAKMP by the Internet Assigned Numbers
   Authority (IANA). Implementations MAY additionally support ISAKMP
   over other transport protocols or over IP itself.

Notice that this doesn't specify that IKE packets _must_ have a source
port of 500, it simply says 'port 500'.  Can someone point me to any
piece of documentation which specifies that IKE packets _must_ have a
source port of 500?  Is this one of those 'unofficial standards' and
hence the reason for Microsoft's implementation processing these packets
as normal?

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchellat_private

Next message: gaksamit2at_private: "Re: BitchX Segmentation Fault"
Previous message: Gabriel A. Maggiotti: "malformed sql queries"
Next in thread: Crist J. Clark: "Re: Microsoft IKE DoS... source port 500?"
Reply: Crist J. Clark: "Re: Microsoft IKE DoS... source port 500?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Dec 29 2001 - 18:14:36 PST