ike_flood_dos with IKEv2

M470 12.6.4
I set up IKEv2 and it works fine but 1 VPN user publishes a visual studio website to an on premise webserver and I get the notification:
Message: IKE flood attack against [external interface IP] from [his external IP] detected. 221 IKE flood packets dropped since last alarm.

It can be 1 or more IKE flood packets. Just curious if there's something I can look at. I've increased the IKE flood to 1500 but that doesn't help. It seems to be only when he publishes.

Comments

  • 1) add a Blocked Sites Exception for the source IP addr.
    "Blocked Sites Exceptions bypass all Default Packet Handling checks, except spoofing and IP source route attacks."

    2) you can disable the IKE Flood check

    3) you try increasing the value more
    "We recommend that you change the default values of each flood attack threshold based on the expected amount of network traffic of that type. For example, if your configuration includes a Branch Office VPN or Mobile VPN, you might need to increase the IPSec and IKE flood attack thresholds to account for VPN traffic."

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/intrusionprevention/flood_attacks_c.html

  • Yes, that's what I thought the options would be but curious if others had the same issue.

Sign In to comment.