Evaluating Susceptibility of VPN Implementations to DoS Attacks Using Adversarial Testing

TL;DR

This paper evaluates the resilience of popular VPN implementations against flooding-based DoS attacks, revealing significant vulnerabilities and implementation flaws that compromise their security under adversarial conditions.

Contribution

It introduces an adversarial testing methodology for VPNs, providing new insights into their vulnerabilities to flooding DoS attacks and exposing implementation flaws.

Findings

WireGuard can be fully denied with 700 Mb/s attack traffic.

strongSwan can be blocked with 75 Mb/s attack traffic.

OpenVPN can be overwhelmed with 100 Mb/s flood traffic.

Abstract

Many systems today rely heavily on virtual private network (VPN) technology to connect networks and protect their services on the Internet. While prior studies compare the performance of different implementations, they do not consider adversarial settings. To address this gap, we evaluate the resilience of VPN implementations to flooding-based denial-of-service (DoS) attacks. We focus on a class of stateless flooding attacks, which are particularly threatening to real connections, as they can be carried out by an off-path attacker using spoofed IP addresses. We have implemented various attacks to evaluate DoS resilience for three major open-source VPN solutions, with surprising results: On high-performance hardware with a $40\,\mathrm{Gb/s}$ interface, data transfer over established WireGuard connections can be fully denied with $700\,\mathrm{Mb/s}$ of attack traffic. For strongSwan (IPsec), an adversary can block any legitimate connections from being established using only $75\,\mathrm{Mb/s}$ of attack traffic. OpenVPN can be overwhelmed with $100\,\mathrm{Mb/s}$ of flood traffic denying data transfer through the VPN connection as well as connection establishment completely. Further analysis has revealed implementation bugs and major inefficiencies in the implementations related to concurrency aspects. These findings demonstrate a need for more adversarial testing of VPN implementations with respect to DoS resilience.