As a result of the COVID-19 pandemic, many organizations find themselves rushing to meet the sudden increase in Remote Access VPN (RA-VPN) traffic as many employees are choosing to (or have been asked to) work from home. Unfortunately, this also offers opportunities for malicious attackers to launch attacks on the VPN infrastructure at a time when they know the impact will be most felt.
Most businesses use old remote VPN applications and concentrators with a “hub and spoke” architecture. This is because VPNs are usually regarded as gap-filling IT infrastructure, used for business travel or for people accessing the company resources out of hours. The traffic originating through the VPN was usually a small percentage of the total enterprise IT traffic.
But now we are seeing situations where the majority of the workforce are working from home and thereby raising the importance, and potential vulnerability, of VPN set ups. Businesses now need to look at DDoS protection and then testing their VPN infrastructure before a cybercriminal does it for them!
Even a low volume attack can exhaust resources on VPN concentrators and firewalls
Crafted attack volumes as low as a couple of Mbps can bring network firewalls to a point where they can’t handle any more new connections. These volume thresholds often fail to trigger most DDoS defenses.
SSL VPNs are vulnerable to SSL floods
SSL flood attacks exhaust the server resources using a high volume of SSL handshake requests.
SSL/TLS renegotiation attacks take advantage of the processing power needed to negotiate a secure TLS connection on the “server” side. This type of attack sends spurious data to the firewall or constantly asks to renegotiate the TLS connection, which exhausts the firewall’s resources beyond its limits.
VPNs are susceptible to UDP floods
Attack scenarios include UDP floods, such as randomized UDP floods or IKE floods. IKE (Internet Key Exchange) is used by IPSec VPNs for authentication and encryption handshaking.
It is clear that now, more than ever, it is vital that your VPN is protected against malicious attacks. If you don’t have any protection in place or what you have is an old or untested system, now is the time to review your DDoS mitigation.
Don’t forget to test
Even if you have a shiny new DDoS mitigation system in place, you are not going to find out if it will truly protect you until you are actually attacked. So don’t miss out the final step by not testing your DDoS mitigation system. activereach provides quick, easy, cost-effective ways to make sure your investment in DDoS mitigation provides the protection you think (or hope) you are getting, including DDoS VPN tests.
activereach offer a number of DDoS protection solutions as well as being experts in DDoS testing – so you can be sure what you have in place is working and will continue to work. Call us on 0845 625 9025 or contact us.