Evaluating Susceptibility of VPN Implementations to DoS Attacks Using Adversarial Testing

by   Fabio Streun, et al.

Many systems today rely heavily on virtual private network (VPN) technology to connect networks and protect their services on the Internet. While prior studies compare the performance of different implementations, they do not consider adversarial settings. To address this gap, we evaluate the resilience of VPN implementations to flooding-based denial-of-service (DoS) attacks. We focus on a class of stateless flooding attacks, which are particularly threatening to real connections, as they can be carried out by an off-path attacker using spoofed IP addresses. We have implemented various attacks to evaluate DoS resilience for three major open-source VPN solutions, with surprising results: On high-performance hardware with a 40 Gb/s interface, data transfer over established WireGuard connections can be fully denied with 700 Mb/s of attack traffic. For strongSwan (IPsec), an adversary can block any legitimate connections from being established using only 75 Mb/s of attack traffic. OpenVPN can be overwhelmed with 100 Mb/s of flood traffic denying data transfer through the VPN connection as well as connection establishment completely. Further analysis has revealed implementation bugs and major inefficiencies in the implementations related to concurrency aspects. These findings demonstrate a need for more adversarial testing of VPN implementations with respect to DoS resilience.



There are no comments yet.


page 1

page 2

page 3

page 4


Resilience to Denial-of-Service and Integrity Attacks: A Structured Systems Approach

The resilience of cyberphysical systems to denial-of-service (DoS) and i...

Evaluating Resilience of Encrypted Traffic Classification Against Adversarial Evasion Attacks

Machine learning and deep learning algorithms can be used to classify en...

Off-Path TCP Exploits of the Mixed IPID Assignment

In this paper, we uncover a new off-path TCP hijacking attack that can b...

Evaluating complexity and resilience trade-offs in emerging memory inference machines

Neuromorphic-style inference only works well if limited hardware resourc...

Me Love (SYN-)Cookies: SYN Flood Mitigation in Programmable Data Planes

The SYN flood attack is a common attack strategy on the Internet, which ...

Architectural Resilience to Foreground-and-Background Adversarial Noise

Adversarial attacks in the form of imperceptible perturbations of normal...

Discharged Payment Channels: Quantifying the Lightning Network's Resilience to Topology-Based Attacks

The Lightning Network is the most widely used payment channel network (P...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.