Fabio Streun (ETH Zurich), Joel Wanner (ETH Zurich), Adrian Perrig (ETH Zurich)

Many systems today rely heavily on virtual private network (VPN) technology to connect networks and protect services on the Internet. While prior studies compare the performance of different implementations, they do not consider adversarial settings. To address this gap, we evaluate the resilience of VPN implementations to flooding-based denial-of-service (DoS) attacks.

We focus on a class of emph{stateless flooding} attacks, which are particularly threatening because an attacker that operates stealthily by spoofing its IP addresses can perform them.
We have implemented various attacks to evaluate the DoS resilience of four widely used VPN solutions and measured their impact on a high-performance server with a $40,mathrm{Gb/s}$ interface, which has revealed surprising results:
An adversary can deny data transfer over an already established WireGuard connection with just $300,mathrm{Mb/s}$ of attack traffic.
When using strongSwan (IPsec), $75,mathrm{Mb/s}$ of attack traffic is sufficient to block connection establishment.
A $100,mathrm{Mb/s}$ flood overwhelms OpenVPN, denying data transfer through VPN connections and connection establishments.
Cisco's AnyConnect VPN solution can be overwhelmed with even less attack traffic:
When using IPsec, $50,mathrm{Mb/s}$ of attack traffic deny connection establishment. When using SSL, $50,mathrm{Mb/s}$ suffice to deny data transfer over already established connections.
Furthermore, performance analysis of WireGuard revealed significant inefficiencies in the implementation related to multi-core synchronization. We also found vulnerabilities in the implementations of strongSwan and OpenVPN, which an attacker can easily exploit for highly effective DoS attacks.
These findings demonstrate the need for adversarial testing of VPN implementations with respect to DoS resilience.

View More Papers

Chhoyhopper: A Moving Target Defense with IPv6

A S M Rizvi (University of Southern California/Information Sciences Institute) and John Heidemann (University of Southern California/Information Sciences Institute)

Read More

Dissecting American Fuzzy Lop – A FuzzBench Evaluation

Andrea Fioraldi (EURECOM), Alessandro Mantovani (EURECOM), Dominik Maier (TU Berlin), Davide Balzarotti (EURECOM)

Read More

Packet-Level Open-World App Fingerprinting on Wireless Traffic

Jianfeng Li (The Hong Kong Polytechnic University), Shuohan Wu (The Hong Kong Polytechnic University), Hao Zhou (The Hong Kong Polytechnic University), Xiapu Luo (The Hong Kong Polytechnic University), Ting Wang (Penn State), Yangyang Liu (The Hong Kong Polytechnic University), Xiaobo Ma (Xi'an Jiaotong University)

Read More

Let’s Authenticate: Automated Certificates for User Authentication

James Conners (Brigham Young University), Corey Devenport (Brigham Young University), Stephen Derbidge (Brigham Young University), Natalie Farnsworth (Brigham Young University), Kyler Gates (Brigham Young University), Stephen Lambert (Brigham Young University), Christopher McClain (Brigham Young University), Parker Nichols (Brigham Young University), Daniel Zappala (Brigham Young University)

Read More