Long trip to Boston

It’s a painful mission to take over 14 hours flight to go to Boston from Shanghai. The first segment flight from Shanghai to Chicago takes over 12 hours. I have never experienced staying a noisy plane for so long time. For saving the money, I have to take the economic class which is hard for me to move my legs. It make me almost exhausted when I take off the plane.
I rush to the US Customs and Border together with the crowds as soon as I take off the plane. And I realized the waiting in a snake line is not the only tradition in China. After about 45 minutes waiting, I come to a US officer and hand in the I94 claim form. He checked my visa and the form then ask me to leave the finger prints. However, I am very tired and nervous, hands are wet so that he challenged me for why I am here and what’s for in US and asked for invitation letter. However, I have no invitation letter with me except the visa. So that I explained detailedly to him and get through finally. It will be remarkable if I am not allowed to go into US even after 12 hours flying. It is very successful to go through the Customs. It is also a long way to get transported to the domestic flight gate. I need to take the ATS(automatic transportation system) train to get to Terminal 1. Headache and headache, I am losing power during the waiting in the Chicago airport. Finally, I get to Boston at about 9 pm. It took me about 30 minutes to find my luggage and another 10 minutes plus 2 roaming calls to find the limo car.  Fortunately, I get in a Lincoln car which is luxury and nice. My head almost broke when I get to the hotel. The first thing I want to do is sleeping. However, I only take 2 hours sleep then woke up. I need to force myself to fall in asleep and get refreshed.
I woke up early in the morning and have a nice breakfast. I enjoy the one side up made by a US guy. I took a shuttle bus to get to the office early. The office looks like beautiful. Every guys here are very cool and stylish but ladies are all fat.
No more to report, but very tired now. Headache again…

Cisco VPN 集中器存在IKE资源耗尽型DOS攻击威胁

http://www.nta-monitor.com/posts/2006/07/cisco-concentrator-dos.html

概述

NTA Monitor 在Cisco VPN 3000系列集中器产品中发现拒绝服务攻击的漏洞。这个漏洞影响IKE协议协商的第一阶段。UDP或者TCP传输的Main模式或者Aggressive模式都受到影响。

利用这个漏洞,攻击者可以发送大量IKE请求使得VPN集中器的IKE资源耗尽达,这会阻止其他正常客户无法连接VPN或者使交换密钥失败甚至无法继续使用,以达到DOS目的。这个攻击不需要高带宽,区区一个攻击者就可以攻陷多个VPN集中器。这个漏洞背后的机制和著名的TCP SYN FLOOD漏洞是类似的。

漏洞细节

这个漏洞允许攻击者向远程的VPN集中器发起大量新的IKE session,并快于集中器队列中这些无效session超时的速度,使得VPN集中器的队列越积越多并且资源耗尽。

这个攻击通过发送IKE阶段一数据包可以接受的一种传输格式。不需要合法的身份就可以攻击此漏洞,因为这个漏洞发送在身份认证之前。这漏洞同时影响Main模式和Aggressive模式,包括upd和tcp封装的ike协议。

为了攻击这个漏洞,攻击者需要以超过VPN集中器IKE session超时的速率发送IKE数据包。测试者发现目标集中器一般在每秒2个包的速率就开始受到影响了,当速度达到每秒10个包的时候设备就不可用了。以Main模式最小的数据包来计算,单个传输112字节,每秒十个包相当于9kbps。

 VPN集中器在这些攻击数据包持续攻击的情况下无法继续处理IKE的请求,但是一旦攻击数据包停止,集中器就会回归到正常状态并处理列队中残留的会话请求。

同时,不太可能阻止外部向VPN集中器发起的IKE服务连接,因为远程的ipsec访问需要。IKE通常使用Udp传输协议,攻击者可以伪造数据包的源ip来躲过ip地址过滤。而且,IDS/IPS系统也可能很难检测到此类攻击,因为这些数据包都是合法的IKE数据包。

攻击症状是目标集中器一旦协商堆栈被挤满就不再响应IKE请求。这就意味着新的客户端将无法连接,第一阶段的密钥重协商将会失败。还不知道第二阶段的密钥协商是否会受到影响。已经建立的VPN隧道上跑的流量不会受到影响,除非它们再次协商密钥。

Cisco的反映

http://www.cisco.com/en/US/tech/tk583/tk372/tsd_technology_security_response09186a00806f33d4.html

现在仍然没有什么好的解决办法。

评论

这个漏洞不仅仅是Cisco VPN设备一家的产品问题,这个漏洞很可能影响到所有使用IKE version1标准的所有VPN产品。这个漏洞是属于协议类型的缺陷,类似于TCP的SYN Flood弱点一样。但是这个攻击这个漏洞比SYN flood更容易实现,而不像SYN Flood需要大量的数据包和带宽占用,仅用一点点流量就可以对提供VPN服务的设备造成致命性的DOS攻击。在目前没有什么很好的解决办法的情况下,是不是各VPN解决提供商能够考虑将使用的IKE协议升级到高版本?也许DOS和DDOS将一直伴随着互联网发展下去,永远是个让所有人头疼的问题,也是让安全业界得以生存的因素吧。