What is an IPSec Flood DDoS Attack?

What is an IPSec Flood DDoS Attack?

Internet Protocol Security (IPSec) is a secure network protocol suite which is primarily used to establish Virtual Private Network (VPN) connections across unsecure networks. IPSec utilizes the Internet Key Exchange (IKE) protocol to ensure secure connections and will authenticate and encrypt packets of data sent over an Internet Protocol (IP) network.

Denial-of-Service (DoS) flooding DDoS attacks against IPSec were common a few years ago, however, since the adoption of IKEv2, these types of volumetric DDoS attacks have been rendered largely ineffective.

What Are the Signs of an IPSec Flood Attack?

What Are the Signs of an IPSec Flood DDoS Attack?

An IPSec Mgr IKEv2 DoS attack is indicated when the configured DoS cookie challenge reaches the high threshold limit. Similarly, an IKE_Auth Decryption failure is apparent when the high threshold is reached for the configured decryption failure count.

Why Are IPSec Flood Attacks Dangerous?

Why Are IPSec Flood DDoS Attacks Dangerous?

Any DDoS attack is dangerous because the intention of the attack is to overwhelm system resources. When an IPSec flood attack is successful, it causes the impacted system to exhaust all available resources, preventing it from servicing legitimate requests, and resulting in traffic traversing IPSec VPN connections being affected.

How to Mitigate and Prevent an IPSec Flood?

How to Mitigate and Prevent an IPSec Flood?

With the advent of IKEv2, IPSec flood DDoS attacks have been largely eliminated. If a flooding DDoS attack occurs, organizations should limit IKE/ISAKMP traffic, only allowing traffic from known sites. As IPSec is primarily used to establish VPN connections between pre-defined sites, organizations can pre-define the IP addresses of those sites in Infrastructure Access Lists (iACL’s).

Additional steps that can be taken include:

  • When an IKE_SA_INIT request is received, a half-open IKE SA timer can be initiated. If the time expires before an IKE_AUTH message is received then the half-open IKEv2 IKE SA should be cleared.
  • If IKE_AUTH decryption fails a specified number of times in a row during session creation, the IKEv2 IKE SA should be cleared.
  •  Define the maximum certificate size for the IKE SA, which will prevent downloading of large certificates from suspect URLs.
  • In the event Child SA rekey requests per second exceed a set limit, a temporary failure notification can be issue to the peer asking that requests be slowed.
  • If incoming IKE messages per IKE SA exceed a set limit, all messages over the limit should be  dropped.


How can NETSCOUT help?

NETSCOUT's Arbor DDoS solution has been protecting the world's largest and most demanding networks from DDoS attacks for more than a decade. We strongly believe that the best way to protect your resources from modern DDoS attacks is through a multi-layer deployment of purpose-built DDoS mitigation solutions.

Only with a tightly integrated, multi-layer defense can you adequately protect your organization from the full spectrum of DDoS attacks.

Arbor Cloud

Tightly integrated, multi-layer DDoS protection

Arbor Edge Defense


Arbor SP/Threat Mitigation System

High Capacity On-Premise Solution for Large Organizations

NETSCOUT customers enjoy a considerable competitive advantage by getting both a micro view of their own network, via our products, combined with a macro view of global Internet traffic, via NETSCOUT Omnis Threat Horizon, an interface to our ATLAS threat intelligence and a DDoS Attack Map visualization.