By Bill Brenner, Akamai SIRT senior tech writer
Akamai's Security Intelligence Research Team (SIRT) is conducting research into the security posture of the Internet Key Exchange (IKE & IKEv2) protocol. The paper outlines the findings thus far, including configurations in the protocol itself that attackers could potentially leverage to launch reflected DDoS campaigns.
Our motivation to examine it is based on the nearly ubiquitous nature of IKE/IKEv2, which is used to facilitate secure key exchanges between peer devices in the IPsec protocol suite. It is widely deployed in multiple secure tunneling applications such as VPN products from major vendors and open source projects.
Given its heavy use, it made sense to take a look under the hood.
Several UDP protocols have appeared on our radar during more than four years of active monitoring and advisory releases concerning reflection-based DDoS attacks. Results yielded from this research have gone into Akamai's State of the Internet Security reports supporting active trends in the DDoS threat landscape.This history has sparked efforts internally to help discover potential UDP based reflection and amplification opportunities, with the goal of disclosing, cleaning up, and fixing issues before they can be weaponized for DDoS.
This is our first piece of research in this regards and is dedicated exclusively to discoveries in IKE/IKEv2. What follows is what we learned after setting our sites more intently on the protocol.
The full paper, available here, delves into the history of IKE, offers visuals to illustrate where the weaknesses are and offers steps organizations can take to reduce risk exposure.