Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory
From: Eloy Paris <elparis () cisco com>
Date: Fri, 28 Jul 2006 17:57:52 -0400


This is a Cisco PSIRT response to an advisory published on July 26, 2006
by an unaffiliated third party, Roy Hills, of NTA Monitor Ltd, entitled
"Cisco VPN Concentrator IKE resource exhaustion DoS", and available at:


This issue is being tracked by the following Cisco Bug IDs:

* CSCse70811 (Cisco IOS software)

* CSCdt92467 (Cisco VPN 3000 Concentrators)

* CSCsb51032 (Cisco PIX firewalls)

We thank Roy Hills from NTA Monitor Ltd for reporting this issue to
Cisco. We greatly appreciate the opportunity to work with researchers
on security vulnerabilities, and welcome the opportunity to review and
assist in product reports.

The attack against the Internet Key Exchange (IKE) protocol described
in the NTA Monitor advisory exploits the stateless nature of the IKE
version 1 protocol. The goal of such an attack is to deplete the
resources available on a device to negotiate IKE security associations,
and block legitimate users from establishing a new security association.

This vulnerability is not related to a specific vendor implementation,
but to underlying issues in the IKE protocol, and may affect any device
which implements IKE version 1. Cisco devices implementing IKE version 1
include the PIX and ASA security appliances, Cisco IOS software, and the
VPN 3000 Series Concentrators.

Customers running Cisco IOS software can mitigate this vulnerability by
implementing the feature "Call Admission Control for IKE". Additional
information on this feature can be found at:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a0080229125.html .

There are no workarounds to mitigate this vulnerability for other
affected devices.

Cisco will continue to investigate the possibility of implementing
software workarounds to minimize the impact of this vulnerability.

Cisco's statement and further information are available on the Cisco
public website at:


Please contact psirt () cisco com with any questions regarding this issue.


Eloy Paris.-
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.

On Wed, Jul 26, 2006 at 02:56:29PM +0100, Roy Hills wrote:
Cisco VPN Concentrator IKE resource exhaustion DoS Advisory

1. Overview

NTA Monitor discovered a denial of service vulnerability in the Cisco 
VPN 3000 series concentrator products while performing a VPN security 
test for a customer in July 2005.

The vulnerability affects Phase-1 of the IKE protocol. Both Main Mode 
and Aggressive Mode over both UDP and TCP transports are affected.

The vulnerability allows an attacker to exhaust the IKE resources on 
a VPN concentrator by sending a high rate of IKE requests, which will 
prevent valid clients from connected or re-keying. The attack does 
not require a high bandwidth, so one attacker could potentially 
target many concentrators.

This mechanism behind this vulnerability is similar to the well-known 
TCP SYN flood vulnerability.

2. Vulnerability Details

The vulnerability allows an attacker to exhaust the IKE resources on 
a remote VPN concentrator by starting new IKE sessions faster than 
the concentrator expires them from its queue. By doing this, the 
attacker fills up the concentrator's queue, which prevents it from 
handling valid IKE requests.

The exploit involves sending IKE Phase-1 packets containing an 
acceptable transform. It is not necessary to have valid credentials 
in order to exploit this vulnerability, as the problem occurs before 
the authentication stage. The vulnerability affects both Main Mode 
and Aggressive Mode, and both normal IKE over UDP and Cisco 
proprietary TCP-encapsulated IKE.

In order to exploit the vulnerability, the attacker needs to send IKE 
packets at a rate which exceeds the Concentrator's IKE session expiry 
rate. Tests show that the target concentrator starts to be affected 
at a rate of 2 packets per second, and is becomes unusable at 10 
packets per second. As a minimal Main Mode packet with a single 
transform is 112 bytes long, 10 packets per second corresponds to a 
data rate of slightly less than 9,000 bits per second.

The concentrator will remain unable to process IKE requests as long 
as the flow of packets continues. Once the flow stops, the 
concentrator will return to normal operation as the negotiation queue 

It is not normally possible to block public inbound access to the IKE 
service on the VPN concentrator, because it is required for remote 
access IPsec operation. As IKE normally uses the UDP transport 
protocol, the attacker may forge the packet's source IP address to 
avoid identification, or to prevent the victim from blocking the 
traffic with ingress filtering. In addition, IDS/IPS systems will 
probably not be able to detect the attack, because the packets are 
valid IKE packets.

It is possible for attackers to detect and fingerprint Cisco VPN 
concentrators using the IKE fingerprinting techniques that we have 
previously published in VPN security white papers. Therefore users 
should not assume that their concentrator is invisible just because 
it's not published in the DNS and is not running any TCP services.

The symptoms are that the target concentrator won't respond to IKE 
requests from any source when all the negotiation slots are filled. 
This means that new clients will be unable to connect, and Phase-1 
re-keying attempts will fail. It is not known if Phase-2 re-keying is 
also affected. Traffic over existing VPN tunnels should not be 
affected until they need to re-key.

The mechanism behind this vulnerability is similar to that behind the 
well-known TCP SYN flood issue. In both cases the target system has a 
stateful mechanism for recording outstanding negotiations, uses a 
fixed-size list to store negotiations in progress, and does not 
require any authentication in order to start a negotiation.

3. Example

We are not planning to release examples of how to exploit this 
vulnerability until it has been addressed and users have had an 
opportunity to apply the fix or workaround.

4. Affected Versions

The issue is believed to affect all models of Cisco VPN 3000 
Concentrator: 3005, 3015, 3020, 3030, 3060 and 3080. It is suspected 
that other cisco products that support IKE may also be affected, but 
this has not been confirmed.

5. Solution

There is no known fix or workaround at this time.

6. Timeline

The vulnerability was first discovered on 4th July 2005, and was 
reported to Cisco's security team (PSIRT) the same day. Cisco 
responded on 9th August 2005, but no further progress has been made.

7. References

NTA Monitor advisory 

Roy Hills
NTA Monitor Ltd

Roy Hills                                    Tel:   +44 1634 721855
NTA Monitor Ltd                              FAX:   +44 1634 721844
14 Ashford House, Beaufort Court,
Medway City Estate,                          Email: 
Roy.Hills () nta-monitor com
Rochester, Kent ME2 4FA, 
UK                  WWW:   http://www.nta-monitor.com/  

Attachment: signature.asc
Description: Digital signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]