{"vuid":"VU#419128","idnumber":"419128","name":"IKE/IKEv2 protocol implementations may allow network amplification attacks","keywords":["ike","dos","amplification"],"overview":"Implementations of the IKEv2 protocol are vulnerable to network amplification attacks.","clean_desc":"CWE-406: Insufficient Control of Network Message Volume (Network Amplification) IKE/IKEv2 and other UDP-based protocols can be used to amplify denial-of-service attacks. In some scenarios, an amplification of up to 900% may be obtained from IKEv2 server implementations. More details are provided in a white paper from the researcher.","impact":"An unauthenticated remote attacker may leverage the vulnerable IKE/IKEv2 server to conduct a distributed reflective denial-of-service (DRDoS) attack on another user.","resolution":"The CERT/CC is currently unaware of a full solution to this problem. Some vendors have addressed this issue separately; please see the affected vendors list below. Please consider one of the workarounds listed below. A full solution may require revisions to RFC 7296 and/or RFC 2408.","workarounds":"Perform Egress Filtering Configure your router/firewall to perform egress filtering, which may help to mitigate attacks that utilize source IP spoofing. Please refer to your product's documentation for instructions on how to perform egress filtering.","sysaffected":"","thanks":"Thanks to Chad Seaman of Akamai for reporting this vulnerability.","author":"This document was written by Garret Wassermann.","public":["https://blogs.akamai.com/2016/02/ikeikev2-ripe-for-ddos-abuse.html","https://community.akamai.com/docs/DOC-5289","http://www.nta-monitor.com/wiki/index.php/Ike-scan_User_Guide","http://cwe.mitre.org/data/definitions/406.html","http://tools.ietf.org/html/rfc7296","http://tools.ietf.org/html/rfc2408"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2015-10-09T12:09:44Z","publicdate":"2016-02-25T00:00:00Z","datefirstpublished":"2016-02-29T16:02:20Z","dateupdated":"2017-07-18T15:42:38Z","revision":35,"vrda_d1_directreport":"1","vrda_d1_population":"4","vrda_d1_impact":"4","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"N","cvss_integrityimpact":"N","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"W","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"H","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"7.8","cvss_basevector":"AV:N/AC:L/Au:N/C:N/I:N/A:C","cvss_temporalscore":"6.7","cvss_environmentalscore":"6.6573635184","cvss_environmentalvector":"CDP:ND/TD:H/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}