|
In IPSEC, replay protection
is privided by a Sequence Number Counter and a anti-replay window. But it cause
some problem in current implementations according to RFC 2401 Appendix C.
When attcker seizes a IPSec flow, the IP
address, SPI are known, and then he can send the forge IP packets to the
desination, which Sequence Number may be very lage, just simple as 2^32.
In the case of using ESP
without authentication, after received the forge packet, the anti-replay window
of the SA will wrong slide to the last, causing deny receive most packets,
otherwise rebuild the SA. This is a serious problem.
In other case, the desination
receive the forge packet, need authenticate. When the attacter sends large forge
packets, the destination may be denial of sevice becasue of it's performance is
exhausted. Since the forge packet is discarded after it be
authenticated.
How to slove this problem?
If we receive a new IPSEC packet
which sequence number is much larger than the last packet's, such as 128 or
other specified number, we will consider it's a forge packet and discard it,
otherwise slide the window simply. And it can aviod the DoS attack in large
degree. |