The cookie challenge is a protection mechanism against CPU exhaustion attacks during the handshake process. The computation of the Diffie-Hellman (DH) function during the WireGuard handshake is inherently CPU-intensive. An attacker could attempt to overload the router by sending a large number of handshake requests to crash it or severely impact its performance (CPU exhaustion attack). This mechanism forces the attacker to perform an additional network round trip and respond to the cookie for each handshake attempt. This significantly increases the cost of the attack, making it much less effective, while allowing the server to limit the number of DH computations it must perform, thus protecting its resources.
When the cookie challenge is enabled, the device always sends a cookie-reply message during the handshake.
- SNMP ID:
- 2.19.70.2
- Console path:
- Setup > VPN > WireGuard
- Possible values:
- No
- Yes
- Default:
- No
