Many systems today rely heavily on virtual private network (VPN) technology to connect networks and protect their services on the Internet. While prior studies compare the performance of different implementations, they do not consider adversarial settings. To address this gap, we evaluate the resilience of VPN implementations to flooding-based denial-of-service (DoS) attacks. We focus on a class of stateless flooding attacks, which are particularly threatening to real connections, as they can be carried out by an off-path attacker using spoofed IP addresses. We have implemented various attacks to evaluate DoS resilience for three major open-source VPN solutions, with surprising results: On high-performance hardware with a $40\,\mathrm{Gb/s}$ interface, data transfer over established WireGuard connections can be fully denied with $700\,\mathrm{Mb/s}$ of attack traffic. For strongSwan (IPsec), an adversary can block any legitimate connections from being established using only $75\,\mathrm{Mb/s}$ of attack traffic. OpenVPN can be overwhelmed with $100\,\mathrm{Mb/s}$ of flood traffic denying data transfer through the VPN connection as well as connection establishment completely. Further analysis has revealed implementation bugs and major inefficiencies in the implementations related to concurrency aspects. These findings demonstrate a need for more adversarial testing of VPN implementations with respect to DoS resilience.
翻译:今天,许多系统都严重依赖虚拟私人网络(VPN)技术来连接网络并保护互联网上的服务。 虽然先前的研究比较了不同执行项目的绩效, 但它们并不考虑对抗性设置。 为了弥补这一差距, 我们评估了VPN实施抗洪性功能对基于洪水的拒绝服务(DoS)袭击的抗御力。 我们侧重于一类无国籍洪灾袭击,这些袭击特别威胁到真正的连接,因为这些袭击可以由使用假IP地址的反向攻击者实施。 我们已经实施了各种袭击性袭击,以评估DoS对三种主要的开放源 VPN解决方案的复原力, 并取得了惊人的结果: 在高性能硬件和40美元上,\mathrm{Gb/s}接口上, 已经建立的WireGuard连接的数据传输完全无法通过700美元,\mathrm{Mb/s} 攻击交通流量的流量。 对于强Swan(IPsec)来说, 敌方可以阻止任何合法连接, 仅使用75美元,\mathrem{Mb/s} 攻击性交通流量流量流量的可靠性。 OpnPNlus 连接将无法使用100\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\xxxxxxxxxxxxxxxx