Implementations of the IKEv2 protocol are vulnerable to network amplification attacks.
CWE-406: Insufficient Control of Network Message Volume (Network Amplification)
IKE/IKEv2 and other UDP-based protocols can be used to amplify denial-of-service attacks. In some scenarios, an amplification of up to 900% may be obtained from IKEv2 server implementations.
An unauthenticated remote attacker may leverage the vulnerable IKE/IKEv2 server to conduct a distributed reflective denial-of-service (DRDoS) attack on another user.
The CERT/CC is currently unaware of a full solution to this problem. Some vendors have addressed this issue separately; please see the affected vendors list below.
Perform Egress Filtering
Thanks to Chad Seaman of Akamai for reporting this vulnerability.
This document was written by Garret Wassermann.
|Date First Published:||2016-02-29|
|Date Last Updated:||2017-07-18 15:42 UTC|