Improving Cloud-VPN Resiliency To DoS Attacks With IKE Throttling
Cisco, Thursday, August 7th, 2025
Cloud-based VPN solutions commonly expose IKEv2 (Internet Key Exchange v2) endpoints to the public Internet to support scalable, on-demand tunnel establishment for customers.
While this enables flexibility and broad accessibility, it also significantly increases the attack surface. These publicly reachable endpoints become attractive targets for Denial-of-Service (DoS) attacks, wherein adversaries can flood the key exchange servers with a high volume of IKE traffic.
Beyond the computational and memory overhead involved in handling large numbers of session initiations, such attacks can impose severe stress on the underlying system through extreme packet I/O rates, even before reaching the application layer.