Characterizing the VPN Ecosystem in the Wild

TL;DR

This study performs large-scale active measurements to detect, characterize, and analyze the vulnerabilities of nearly 10 million VPN servers worldwide, revealing their distribution, security issues, and traffic patterns.

Contribution

It introduces a method for detecting VPN servers in the wild and provides a comprehensive analysis of their vulnerabilities, protocols, and traffic impact.

Findings

9.8 million VPN servers identified globally

Over 90% of SSTP servers vulnerable to TLS downgrade attacks

2.6% of ISP traffic related to VPN servers

Abstract

With the shift to working remotely after the COVID-19 pandemic, the use of Virtual Private Networks (VPNs) around the world has nearly doubled. Therefore, measuring the traffic and security aspects of the VPN ecosystem is more important now than ever. It is, however, challenging to detect and characterize VPN traffic since some VPN protocols use the same port number as web traffic and port-based traffic classification will not help. VPN users are also concerned about the vulnerabilities of their VPN connections due to privacy issues. In this paper, we aim at detecting and characterizing VPN servers in the wild, which facilitates detecting the VPN traffic. To this end, we perform Internet-wide active measurements to find VPN servers in the wild, and characterize them based on their vulnerabilities, certificates, locations, and fingerprinting. We find 9.8M VPN servers distributed around the world using OpenVPN, SSTP, PPTP, and IPsec, and analyze their vulnerability. We find SSTP to be the most vulnerable protocol with more than 90% of detected servers being vulnerable to TLS downgrade attacks. Of all the servers that respond to our VPN probes, 2% also respond to HTTP probes and therefore are classified as Web servers. We apply our list of VPN servers to the traffic from a large European ISP and observe that 2.6% of all traffic is related to these VPN servers.