Therefore, in the new build Ver 4.37 Build 9758 released on, we have implemented a rate limit on the process of sending back IPsec Informational Exchange packets. However, if the above ping-pong phenomenon occurs and consumes CPU, memory and network bandwidth, it will affect legitimate users. The above notification mechanism of the disconnected tunnel identification number by IPsec Informational Exchange packets is not a bug of SoftEther VPN, but the original intended behavior.From the point of view of the VPN server administrator, while the attacker is sending IPsec packets in rapid succession, VPN communication by legitimate L2TP/IPsec users will be slowed down or fail to establish VPN communication. This results in ping-pong between the attacker's program and the IPsec module of the VPN server of SoftEther VPN, which is completely unintended by the attacker, resulting in completely useless consumption of each other's CPU, memory, and network bandwidth. The implementation behavior of a bad source IPsec client (the program written by the attacker) is that when the IPsec Informational Exchange packet arrives, the attack host resends another ESP frame to the VPN server. This is called an IPsec Informational Exchange packet. When SoftEther VPN receives a packet addressed to the identification number of the tunnel that has already been disconnected, it sends a notification to the source IPsec client that the tunnel has been disconnected. Especially, SoftEther VPN disconnects the IPsec tunnel established with the attacker when there is no communication for a certain period of time. Is not actually established afterwards, even if the attacker does not break into the network, resources such as CPU, memory, and network bandwidth of the host used as the VPN server may be wasted as a result. In an environment where the pre-shared key has not been changed (strongly not recommended dangerous usage), such an attack will establish an IPsec layer tunnel with the attacker's host. However, if you have enabled the L2TP/IPsec, EtherIP/IPsec, or L2TPv3/IPsec features of SoftEther VPN and have not changed the recommended pre-shared key to "vpn" (the default value of three characters), such an attack will establish an IPsec layer tunnel with the attacker's host.This cyber attack does not target SoftEther VPN, and there is no possibility that SoftEther VPN will be affected directly at present. This cyber attack is considered to be an attempt to establish an IPsec VPN tunnel to infiltrate various corporate networks. Based on the behavior of the packets, it is believed that this cyber attack uses a dictionary attack to identify the pre-shared key of the IPsec VPN when a guessable word is used in the pre-shared key, and then establishes an IPsec VPN tunnel to break into various corporate networks. Recently, we have observed a brute-force cyber attack that originates from several IP addresses of cloud services and indiscriminately attempts to penetrate the network via IPsec VPN against a wide range of global IP addresses of the victim.The frequency of notification of disconnected tunnel identification numbers via IPsec Informational Exchange packets is now limited, reducing the occurrence of nonsensical packet ping-pong between attackers targeting IPsec VPN devices with a wide range of global IP addresses.In addition, if you have been receiving indiscriminate attack attempt packets targeting IPsec VPN devices, which have been occurring frequently on the Internet since around August 2021, and have been experiencing reduced communication speed or failed VPN connections for legitimate users, we recommend that you apply the update. If you are using the system with L2TP/IPsec, EtherIP/IPsec or L2TPv3/IPsec features enabled, we recommend that you apply the update.This RTM build includes all changes from the previously released Beta versions, Build 9754 and Build 9758.Improve the stability of IPsec function with reducing consuming CPU time / network bandwidth / memory consumption even if your server receive a large number of IPsec packets from indiscriminate attack attempts (brute force attacks, reflection attacks, etc.) targeting generic IPsec VPN devices, which have been occurring frequently on the Internet recently.The revision history of each SoftEther VPN build is here.1
0 kommentar(er)
