"The detection device should monitor all incoming IKE traffic. Detection requires correlating two packets within the same IKE session: an IKE_SA_INIT request carrying the Microsoft Security Realm Vendor ID, followed by a fragmented IKE_AUTH request."
"At byte offset 17 of the UDP payload, the device should check for the three-byte sequence 20 22 08, which corresponds to the IKEv2 version identifier, the IKE_SA_INIT exchange type, and the Initiator flag."
"For subsequent packets from the same source, the device should check bytes at offset 16 through 23 of the UDP payload. If found, the traffic should be considered malicious; an attack exploiting this vulnerability is likely underway."
To detect attacks exploiting a specific vulnerability, monitoring of UDP ports 500 and 4500 is essential. The detection device must analyze incoming IKE traffic, correlating two packets: an IKE_SA_INIT request with a Microsoft Security Realm Vendor ID and a fragmented IKE_AUTH request. Specific byte sequences must be checked to confirm the presence of these packets. If the conditions are met, the traffic is flagged as potentially malicious, indicating an ongoing attack exploiting the vulnerability.
Read at Zero Day Initiative
Unable to calculate read time
Collection
[
|
...
]