Vulnerability Note VU#419128
IKE/IKEv2 protocol implementations may allow network amplification attacks
Implementations of the IKEv2 protocol are vulnerable to network amplification attacks.
CWE-406: Insufficient Control of Network Message Volume (Network Amplification)
IKE/IKEv2 and other UDP-based protocols can be used to amplify denial-of-service attacks. In some scenarios, an amplification of up to 900% may be obtained from IKEv2 server implementations.
An unauthenticated remote attacker may leverage the vulnerable IKE/IKEv2 server to conduct a distributed reflective denial-of-service (DRDoS) attack on another user.
The CERT/CC is currently unaware of a full solution to this problem. Some vendors have addressed this issue separately; please see the affected vendors list below.
Perform Egress Filtering
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Oracle Corporation||Affected||12 Feb 2016||18 Jul 2017|
|GNU glibc||Not Affected||12 Feb 2016||15 Feb 2016|
|Microsoft Corporation||Not Affected||12 Feb 2016||04 Mar 2016|
|ACCESS||Unknown||12 Feb 2016||12 Feb 2016|
|Alcatel-Lucent||Unknown||12 Feb 2016||12 Feb 2016|
|Apple||Unknown||12 Feb 2016||12 Feb 2016|
|Arch Linux||Unknown||12 Feb 2016||12 Feb 2016|
|Arista Networks, Inc.||Unknown||12 Feb 2016||12 Feb 2016|
|Aruba Networks||Unknown||12 Feb 2016||12 Feb 2016|
|AT&T||Unknown||12 Feb 2016||12 Feb 2016|
|Avaya, Inc.||Unknown||12 Feb 2016||12 Feb 2016|
|Belkin, Inc.||Unknown||12 Feb 2016||12 Feb 2016|
|Brocade Communication Systems||Unknown||12 Feb 2016||12 Feb 2016|
|CA Technologies||Unknown||12 Feb 2016||12 Feb 2016|
|CentOS||Unknown||12 Feb 2016||12 Feb 2016|
CVSS Metrics (Learn More)
Thanks to Chad Seaman of Akamai for reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: Unknown
- Date Public: 25 Feb 2016
- Date First Published: 29 Feb 2016
- Date Last Updated: 18 Jul 2017
- Document Revision: 34
If you have feedback, comments, or additional information about this vulnerability, please send us email.