Bugtraq mailing list archives
Re: Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory
From: henry.sieff () gmail com
Date: 7 Aug 2006 22:24:13 -0000
Cisco recommends a workaround which essentially sets a limit on the number of outstanding SA's and drops new SA requests if they exceed that limit (outlined in http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a0080229125.html) It seems to me that this will not accomplish much - presumably the determined attacker will simply continue to send packets - as soon as the number of SA'ss drops below that limit the attacker will simply fill up the queue again. Am I missing something about the vulnerability or the supposed fix from Cisco?
Current thread:
- Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory Roy Hills (Aug 02)
- <Possible follow-ups>
- Re: Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory henry . sieff (Aug 11)
- RE: Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory Lance Seelbach (Aug 14)
- Re: Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory Henry Sieff (Aug 11)
- RE: Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory Lance Seelbach (Aug 14)