z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZD1754I

z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
SC27-3655-01

EZD1754I
Validation failed for COOKIE notify payload received from remote_ip port remote_port to local_ip port local_port

Explanation

When the Internet Key Exchange (IKE) daemon detects a large number of half-open IKE security associations (SAs), it sends a notify payload of type COOKIE to the peer. The peer must duplicate and send back the COOKIE notify payload. The IKE daemon periodically updates the local cookie information and requires that the data in all received COOKIE notify payloads match the local cookie information. If the received cookie data does not match the local cookie information, then it might indicate that the sender is attempting a denial-of-service (DoS) attack against the IKE daemon. This message might be issued with a benign IKE daemon peer if the local cookie information is updated before the peer is able to respond, although such an occurrence is unlikely. A large number of these messages probably indicates a DoS attack.

In the message text:
remote_ip
The remote security endpoint IP specification.
remote_port
The port of the remote IKE daemon peer.
local_ip
The local security endpoint IP specification.
local_port
The port of the local IKE daemon.

System action

IKE daemon processing continues.

Operator response

If more than one EZD1754I message is issued in quick succession, contact the system programmer.

System programmer response

If a large number of EZD1754I messages are issued for the same remote IP address, then the host with that IP address might be mounting a DoS attack against the IKE daemon. Install an IP filter rule to deny IP traffic from that address. If a large number of EZD1754I messages are issued for different remote IP addresses, then it might indicate that an attacker is forging IP addresses. In this case, install IP filter rules to deny IP traffic from all the IP addresses reported as the remote_ip value in the EZD1754I messages. See the information about IP security in z/OS Communications Server: IP Configuration Guide for information about implementing IP filter rules.

User response

None.

Problem determination

None.

Source

z/OS® Communications Server TCP/IP: IKE daemon

Module

IKEv2SAInitResponse.cpp

Routing code

11

Descriptor code

7

Automation

This message is output to the syslog.

Example

EZD1754I Validation failed for COOKIE notify payload received from 1.2.3.4 port  500 to 5.6.7.8 port 500
Parent topic: EZD1xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014