Vulnerability Note VU#419128
IKE/IKEv2 protocol implementations may allow network amplification attacks
Implementations of the IKEv2 protocol are vulnerable to network amplification attacks.
CWE-406: Insufficient Control of Network Message Volume (Network Amplification)
IKE/IKEv2 and other UDP-based protocols can be used to amplify denial-of-service attacks. In some scenarios, an amplification of up to 900% may be obtained from IKEv2 server implementations.
More details are provided in a white paper from the researcher.
An unauthenticated remote attacker may leverage the vulnerable IKE/IKEv2 server to conduct a distributed reflective denial-of-service (DRDoS) attack on another user.
The CERT/CC is currently unaware of a full solution to this problem. Some vendors have addressed this issue separately; please see the affected vendors list below.
Please consider one of the workarounds listed below.
A full solution may require revisions to RFC 7296 and/or RFC 2408.
Perform Egress Filtering
Configure your router/firewall to perform egress filtering, which may help to mitigate attacks that utilize source IP spoofing. Please refer to your product's documentation for instructions on how to perform egress filtering.
Vendor Information (Learn More)
If you are a vendor and your product is affected, let
us know.View More »
|Vendor||Status||Date Notified||Date Updated|
|Oracle Corporation||Affected||12 Feb 2016||18 Jul 2017|
|GNU glibc||Not Affected||12 Feb 2016||15 Feb 2016|
|Microsoft Corporation||Not Affected||12 Feb 2016||04 Mar 2016|
|ACCESS||Unknown||12 Feb 2016||12 Feb 2016|
|Alcatel-Lucent||Unknown||12 Feb 2016||12 Feb 2016|
|Apple||Unknown||12 Feb 2016||12 Feb 2016|
|Arch Linux||Unknown||12 Feb 2016||12 Feb 2016|
|Arista Networks, Inc.||Unknown||12 Feb 2016||12 Feb 2016|
|Aruba Networks||Unknown||12 Feb 2016||12 Feb 2016|
|AT&T||Unknown||12 Feb 2016||12 Feb 2016|
|Avaya, Inc.||Unknown||12 Feb 2016||12 Feb 2016|
|Belkin, Inc.||Unknown||12 Feb 2016||12 Feb 2016|
|Brocade Communication Systems||Unknown||12 Feb 2016||12 Feb 2016|
|CA Technologies||Unknown||12 Feb 2016||12 Feb 2016|
|CentOS||Unknown||12 Feb 2016||12 Feb 2016|
Thanks to Chad Seaman of Akamai for reporting this vulnerability.
This document was written by Garret Wassermann.
25 Feb 2016
Date First Published:
29 Feb 2016
Date Last Updated:
18 Jul 2017
If you have feedback, comments, or additional information about this vulnerability, please send us email.