Fabio Streun (ETH Zurich), Joel Wanner (ETH Zurich), Adrian Perrig (ETH Zurich)

Many systems today rely heavily on virtual private network (VPN) technology to connect networks and protect services on the Internet. While prior studies compare the performance of different implementations, they do not consider adversarial settings. To address this gap, we evaluate the resilience of VPN implementations to flooding-based denial-of-service (DoS) attacks.

We focus on a class of emph{stateless flooding} attacks, which are particularly threatening because an attacker that operates stealthily by spoofing its IP addresses can perform them.
We have implemented various attacks to evaluate the DoS resilience of four widely used VPN solutions and measured their impact on a high-performance server with a $40,mathrm{Gb/s}$ interface, which has revealed surprising results:
An adversary can deny data transfer over an already established WireGuard connection with just $300,mathrm{Mb/s}$ of attack traffic.
When using strongSwan (IPsec), $75,mathrm{Mb/s}$ of attack traffic is sufficient to block connection establishment.
A $100,mathrm{Mb/s}$ flood overwhelms OpenVPN, denying data transfer through VPN connections and connection establishments.
Cisco's AnyConnect VPN solution can be overwhelmed with even less attack traffic:
When using IPsec, $50,mathrm{Mb/s}$ of attack traffic deny connection establishment. When using SSL, $50,mathrm{Mb/s}$ suffice to deny data transfer over already established connections.
Furthermore, performance analysis of WireGuard revealed significant inefficiencies in the implementation related to multi-core synchronization. We also found vulnerabilities in the implementations of strongSwan and OpenVPN, which an attacker can easily exploit for highly effective DoS attacks.
These findings demonstrate the need for adversarial testing of VPN implementations with respect to DoS resilience.

View More Papers

NSFuzz: Towards Efficient and State-Aware Network Service Fuzzing

Shisong Qin (Tsinghua University), Fan Hu (State Key Laboratory of Mathematical Engineering and Advanced Computing), Bodong Zhao (Tsinghua University), Tingting Yin (Tsinghua University), Chao Zhang (Tsinghua University)

Read More

Too Afraid to Drive: Systematic Discovery of Semantic DoS...

Ziwen Wan (University of California, Irvine), Junjie Shen (University of California, Irvine), Jalen Chuang (University of California, Irvine), Xin Xia (The University of California, Los Angeles), Joshua Garcia (University of California, Irvine), Jiaqi Ma (The University of California, Los Angeles), Qi Alfred Chen (University of California, Irvine)

Read More

Analyzing and Creating Malicious URLs: A Comparative Study on...

Vincent Drury (IT-Security Research Group, RWTH Aachen University), Rene Roepke (Learning Technologies Research Group, RWTH Aachen University), Ulrik Schroeder (Learning Technologies Research Group, RWTH Aachen University), Ulrike Meyer (IT-Security Research Group, RWTH Aachen University)

Read More

Detecting Obfuscated Function Clones in Binaries using Machine Learning

Michael Pucher (University of Vienna), Christian Kudera (SBA Research), Georg Merzdovnik (SBA Research)

Read More