IKE is subject to DoS (Denial of Service) attacks since state has to be kept in the responder after the first message has been received. If a malicious peer starts flooding isakmpd with exchange initiations, a lot of state will accumulate in the responder. Worse yet, in aggressive mode, the responder will have to do expensive computational work before the peer has been authenticated. These issues are actually protocol problems and could have been moot, if only the ``cookie'' mechanism adopted from the Photuris protocol had been understood and used correctly [13,17]. Since the protocol has been standardized, we need to address the potential attacks. Our approach is twofold: first off, we always check memory allocation for failure, and back out, cleaning up all resources tied in with the message we are re dealing with. Second, we use a maximum, configurable, exchange lifetime. If the exchange times out, all resources are given back to the system.
We have considered additional measures, like aggressive random tail drop of exchanges stuck in the state after the first reply. This would be somewhat analogous to the normal response to TCP SYN-floods.