Re: Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory

[henry.sieff () gmail com]

Cisco recommends a workaround which essentially sets a limit on the number of outstanding SA's and drops new SA 
requests if they exceed that limit (outlined in 
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a0080229125.html)

It seems to me that this will not accomplish much - presumably the determined attacker will simply continue to send 
packets - as soon as the number of SA'ss drops below that limit the attacker will simply fill up the queue again. Am I 
missing something about the vulnerability or the supposed fix from Cisco?