Fabio Streun (ETH Zurich), Joel Wanner (ETH Zurich), Adrian Perrig (ETH Zurich)

Many systems today rely heavily on virtual private network (VPN) technology to connect networks and protect services on the Internet. While prior studies compare the performance of different implementations, they do not consider adversarial settings. To address this gap, we evaluate the resilience of VPN implementations to flooding-based denial-of-service (DoS) attacks.

We focus on a class of emph{stateless flooding} attacks, which are particularly threatening because an attacker that operates stealthily by spoofing its IP addresses can perform them.
We have implemented various attacks to evaluate the DoS resilience of four widely used VPN solutions and measured their impact on a high-performance server with a $40,mathrm{Gb/s}$ interface, which has revealed surprising results:
An adversary can deny data transfer over an already established WireGuard connection with just $300,mathrm{Mb/s}$ of attack traffic.
When using strongSwan (IPsec), $75,mathrm{Mb/s}$ of attack traffic is sufficient to block connection establishment.
A $100,mathrm{Mb/s}$ flood overwhelms OpenVPN, denying data transfer through VPN connections and connection establishments.
Cisco's AnyConnect VPN solution can be overwhelmed with even less attack traffic:
When using IPsec, $50,mathrm{Mb/s}$ of attack traffic deny connection establishment. When using SSL, $50,mathrm{Mb/s}$ suffice to deny data transfer over already established connections.
Furthermore, performance analysis of WireGuard revealed significant inefficiencies in the implementation related to multi-core synchronization. We also found vulnerabilities in the implementations of strongSwan and OpenVPN, which an attacker can easily exploit for highly effective DoS attacks.
These findings demonstrate the need for adversarial testing of VPN implementations with respect to DoS resilience.

View More Papers

30 Years into Scientific Binary Decompilation: What We Have...

Dr. Ruoyu (Fish) Wang, Assistant Professor at Arizona State University

Read More

FedCRI: Federated Mobile Cyber-Risk Intelligence

Hossein Fereidooni (Technical University of Darmstadt), Alexandra Dmitrienko (University of Wuerzburg), Phillip Rieger (Technical University of Darmstadt), Markus Miettinen (Technical...

Read More

NSFuzz: Towards Efficient and State-Aware Network Service Fuzzing

Shisong Qin (Tsinghua University), Fan Hu (State Key Laboratory of Mathematical Engineering and Advanced Computing), Bodong Zhao (Tsinghua University), Tingting...

Read More

Clarion: Anonymous Communication from Multiparty Shuffling Protocols

Saba Eskandarian (University of North Carolina at Chapel Hill), Dan Boneh (Stanford University)

Read More