Bugzilla – Bug 967611
VUL-1: VU#419128: IKE DoS tracker-bug
Last modified: 2016-06-16 14:51:11 UTC
bugbot adjusting priority
https://www.kb.cert.org/vuls/id/419128 seems public
no cve from note: Vulnerability Note VU#419128 IKE/IKEv2 protocol implementations may allow network amplification attacks Original Release date: 29 Feb 2016 | Last revised: 04 Mar 2016 Print Document Tweet Like Me Share Overview Implementations of the IKEv2 protocol are vulnerable to network amplification attacks. Description CWE-406: Insufficient Control of Network Message Volume (Network Amplification) IKE/IKEv2 and other UDP-based protocols can be used to amplify denial-of-service attacks. In some scenarios, an amplification of up to 900% may be obtained from IKEv2 server implementations. More details are provided in a white paper from the researcher. Impact An unauthenticated remote attacker may leverage the vulnerable IKE/IKEv2 server to conduct a distributed reflective denial-of-service (DRDoS) attack on another user. Solution The CERT/CC is currently unaware of a full solution to this problem. Please consider one of the workarounds listed below. A full solution may require revisions to RFC 7296 and/or RFC 2408. Perform Egress Filtering Configure your router/firewall to perform egress filtering, which may help to mitigate attacks that utilize source IP spoofing. Please refer to your product's documentation for instructions on how to perform egress filtering.
i opened a newer bug, use that for tracking *** This bug has been marked as a duplicate of bug 984628 ***