Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Cisco IKE Resource Exhaustion Attack - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cisco IKE Resource Exhaustion Attack
Fred sent us a note after recieving e-mail from Cisco.

""The attack against the Internet Key Exchange (IKE) protocol described in the NTA Monitor advisory exploits the stateless nature of the IKE version 1 protocol. The goal of such an attack is to deplete the resources available on a device to negotiate IKE security associations, and block legitimate users from establishing a new security association.""

Cisco states "This vulnerability is not related to a specific vendor implementation, but to underlying issues in the IKE protocol, and may affect any device which implements IKE version"

There is a workaround available for IOS, but not for any other Cisco products.

Cisco's full response can be found here.

Check with your vendor for other systems you have that use IKE version 1.


140 Posts
Jul 27th 2006

Sign Up for Free or Log In to start participating in the conversation!