IKE is subject to DoS (Denial of Service) attacks since state has to
be kept in the responder after the first message has been received.
If a malicious peer starts flooding isakmpd with exchange
initiations, a lot of state will accumulate in the responder. Worse
yet, in aggressive mode, the responder will have to do expensive
computational work ![[*]](/legacy/usr/local/lib/latex2html/icons.gif/foot_motif.gif){kind=icon}
before the peer has been
authenticated. These issues are actually protocol problems and could
have been moot, if only the ``cookie'' mechanism adopted from the
Photuris protocol had been understood and used correctly
[13,17]. Since the protocol has been
standardized, we need to address the potential attacks. Our approach
is twofold: first off, we always check memory allocation for failure,
and back out, cleaning up all resources tied in with the message we
are re dealing with. Second, we use a maximum, configurable,
exchange lifetime. If the exchange times out, all resources are
given back to the system.
We have considered additional measures, like aggressive random tail drop of exchanges stuck in the state after the first reply. This would be somewhat analogous to the normal response to TCP SYN-floods.