Executive Summary

Title IKE/IKEv2 protocol implementations may allow network amplification attacks
Name VU#419128 First vendor Publication 2016-02-29
Vendor VU-CERT Last vendor Modification 2016-03-04
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#419128

IKE/IKEv2 protocol implementations may allow network amplification attacks

Original Release date: 29 Feb 2016 | Last revised: 04 Mar 2016


Implementations of the IKEv2 protocol are vulnerable to network amplification attacks.


CWE-406: Insufficient Control of Network Message Volume (Network Amplification)

IKE/IKEv2 and other UDP-based protocols can be used to amplify denial-of-service attacks. In some scenarios, an amplification of up to 900% may be obtained from IKEv2 server implementations.

More details are provided in a white paper from the researcher.


An unauthenticated remote attacker may leverage the vulnerable IKE/IKEv2 server to conduct a distributed reflective denial-of-service (DRDoS) attack on another user.


The CERT/CC is currently unaware of a full solution to this problem.

Please consider one of the workarounds listed below.

A full solution may require revisions to RFC 7296 and/or RFC 2408.

Perform Egress Filtering

Configure your router/firewall to perform egress filtering, which may help to mitigate attacks that utilize source IP spoofing. Please refer to your product's documentation for instructions on how to perform egress filtering.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
GNU glibcNot Affected12 Feb 201615 Feb 2016
Microsoft CorporationNot Affected12 Feb 201604 Mar 2016
ACCESSUnknown12 Feb 201612 Feb 2016
Alcatel-LucentUnknown12 Feb 201612 Feb 2016
AppleUnknown12 Feb 201612 Feb 2016
Arch LinuxUnknown12 Feb 201612 Feb 2016
Arista Networks, Inc.Unknown12 Feb 201612 Feb 2016
Aruba NetworksUnknown12 Feb 201612 Feb 2016
AT&TUnknown12 Feb 201612 Feb 2016
Avaya, Inc.Unknown12 Feb 201612 Feb 2016
Belkin, Inc.Unknown12 Feb 201612 Feb 2016
Brocade Communication SystemsUnknown12 Feb 201612 Feb 2016
CA TechnologiesUnknown12 Feb 201612 Feb 2016
CentOSUnknown12 Feb 201612 Feb 2016
Check Point Software TechnologiesUnknown12 Feb 201612 Feb 2016
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)



  • https://blogs.akamai.com/2016/02/ikeikev2-ripe-for-ddos-abuse.html
  • https://community.akamai.com/docs/DOC-5289
  • http://www.nta-monitor.com/wiki/index.php/Ike-scan_User_Guide
  • http://cwe.mitre.org/data/definitions/406.html
  • http://tools.ietf.org/html/rfc7296
  • http://tools.ietf.org/html/rfc2408


Thanks to Chad Seaman of Akamai for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:Unknown
  • Date Public:25 Feb 2016
  • Date First Published:29 Feb 2016
  • Date Last Updated:04 Mar 2016
  • Document Revision:31


If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/419128

Alert History

If you want to see full details history, please login or register.
Date Informations
2016-11-05 13:24:39
  • Multiple Updates
2016-03-05 00:28:02
  • Multiple Updates
2016-03-05 00:23:22
  • Multiple Updates
2016-03-01 21:29:59
  • Multiple Updates
2016-03-01 21:24:41
  • Multiple Updates
2016-02-29 21:30:06
  • Multiple Updates
2016-02-29 21:24:10
  • First insertion