search menu icon-carat-right cmu-wordmark

CERT Coordination Center

IKE/IKEv2 protocol implementations may allow network amplification attacks

Vulnerability Note VU#419128

Original Release Date: 2016-02-29 | Last Revised: 2017-07-18

Overview

Implementations of the IKEv2 protocol are vulnerable to network amplification attacks.

Description

CWE-406: Insufficient Control of Network Message Volume (Network Amplification)

IKE/IKEv2 and other UDP-based protocols can be used to amplify denial-of-service attacks. In some scenarios, an amplification of up to 900% may be obtained from IKEv2 server implementations.

More details are provided in a white paper from the researcher.

Impact

An unauthenticated remote attacker may leverage the vulnerable IKE/IKEv2 server to conduct a distributed reflective denial-of-service (DRDoS) attack on another user.

Solution

The CERT/CC is currently unaware of a full solution to this problem. Some vendors have addressed this issue separately; please see the affected vendors list below.

Please consider one of the workarounds listed below.

A full solution may require revisions to RFC 7296 and/or RFC 2408.

Perform Egress Filtering

Configure your router/firewall to perform egress filtering, which may help to mitigate attacks that utilize source IP spoofing. Please refer to your product's documentation for instructions on how to perform egress filtering.

Vendor Information

419128
 

View all 83 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C
Temporal 6.7 E:POC/RL:W/RC:C
Environmental 6.7 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Chad Seaman of Akamai for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: None
Date Public: 2016-02-25
Date First Published: 2016-02-29
Date Last Updated: 2017-07-18 15:42 UTC
Document Revision: 35

Sponsored by CISA.