What is an IPSec Flood Attack?

Internet Protocol Security (IPSec) is a secure network protocol suite which is primarily used to establish Virtual Private Network (VPN) connections across unsecure networks. IPSec utilizes the Internet Key Exchange (IKE) protocol to ensure secure connections and will authenticate and encrypt packets of data sent over an Internet Protocol (IP) network.

Denial-of-Service (DoS) flooding attacks against IPSec were common a few years ago, however, since the adoption of IKEv2, these types of volumetric DDoS attacks have been rendered largely ineffective.

What Are the Signs of an IPSec Flood Attack?

An IPSec Mgr IKEv2 DoS attack is indicated when the configured DoS cookie challenge reaches the high threshold limit. Similarly, an IKE_Auth Decryption failure is apparent when the high threshold is reached for the configured decryption failure count.

Why Are IPSec Flood Attacks Dangerous?

Any DDoS attack is dangerous because the intention of the attack is to overwhelm system resources. When an IPSec flood attack is successful, it causes the impacted system to exhaust all available resources, preventing it from servicing legitimate requests, and resulting in traffic traversing IPSec VPN connections being affected.

How to Mitigate and Prevent an IPSec Flood?

With the advent of IKEv2, IPSec flood attacks have been largely eliminated. If a flooding attack occurs, organizations should limit IKE/ISAKMP traffic, only allowing traffic from known sites. As IPSec is primarily used to establish VPN connections between pre-defined sites, organizations can pre-define the IP addresses of those sites in Infrastructure Access Lists (iACL’s).

Additional steps that can be taken include:

  • When an IKE_SA_INIT request is received, a half-open IKE SA timer can be initiated. If the time expires before an IKE_AUTH message is received then the half-open IKEv2 IKE SA should be cleared.
  • If IKE_AUTH decryption fails a specified number of times in a row during session creation, the IKEv2 IKE SA should be cleared.
  •  Define the maximum certificate size for the IKE SA, which will prevent downloading of large certificates from suspect URLs.
  • In the event Child SA rekey requests per second exceed a set limit, a temporary failure notification can be issue to the peer asking that requests be slowed.
  • If incoming IKE messages per IKE SA exceed a set limit, all messages over the limit should be  dropped.