mirror of
https://github.com/strongswan/strongswan.git
synced 2025-10-05 00:00:45 -04:00
d8104b7c69
Because the global cookie threshold is higher than the per-IP block threshold, it was previously possible for an attacker to block a legitimate user by sending spoofed IKE_SA_INIT packets from that user's IP. The timespan for requiring cookies is now also not extended anymore with every IKE_SA_INIT received during the calm down period. Because this allowed an attacker, after initially triggering the global cookie threshold, to force cookies for all clients by sending just a single spoofed IKE_SA_INIT every 10 seconds. We keep track of reaching the per-IP threshold in segments of the hashed IP addresses, so only a (random, due to chunk_hash()'s random key) subset of clients will receive cookies, if single IPs are targeted. The default global threshold is increased a bit.