Bugtraq: Re: Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory

From: henry.sieff () gmail com
Date: 7 Aug 2006 22:24:13 -0000

Cisco recommends a workaround which essentially sets a limit on the number of outstanding SA's and drops new SA 
requests if they exceed that limit (outlined in 
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a0080229125.html)

It seems to me that this will not accomplish much - presumably the determined attacker will simply continue to send 
packets - as soon as the number of SA'ss drops below that limit the attacker will simply fill up the queue again. Am I 
missing something about the vulnerability or the supposed fix from Cisco?

By Date By Thread

Current thread:

Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory Roy Hills (Aug 02)
- <Possible follow-ups>
- Re: Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory henry . sieff (Aug 11)
  - RE: Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory Lance Seelbach (Aug 14)
    - Re: Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory Henry Sieff (Aug 11)