mailing list archives
Re: UDP DoS attack in Win2k via IKE
From: Darren Reed <avalon () cairo anu edu au>
Date: Sat, 8 Dec 2001 17:47:13 +1100 (Australia/NSW)
In some mail from c0redump, sie said:
UDP DoS in Win2k via IKE
A DoS attack can be carried out on Win2k machines running IKE (internet key
exchange) by sending flooding IKE with UDP packets. This can cause the
machine to lock up and render 99% of the CPU.
Connect to port 500 (IKE) of the Win2k box and start sending UDP packets of
more than 800 bytes continuously. The box will eventually stop responding
and services will be denied due to 99% CPU usage from the packets.
Firewall port 500 off if IPSsec is not in use.
The solution should be:
Disable the "IPsec policy agent" service if IPsec is not in use.
(Makes you wonder why it was on in the first place, especially if no IPSec
policies have been assigned but I digress...)
But what about if you are using IPsec ?
Did you try and measure the minimum packet rate required to keep it at
99% CPU? How fast the victim CPU is would also be worth mentioning with
Do you need to send packets to the IKE server that look like IKE packets
or does any random garbage suffice?
Have you tried targetting other platforms which have daemons which handle
IKE ? If so, did they behave any differently when under load like this ?
Because of the crypto involved, this sounds very similar to the problem
described in the paper presented at Usenix Security 2001 on DoS attacks
against secure web servers (I think 6 clients are required to make an
https server practically unusable). I wonder if a similar solution is