Virtual Private Network (VPN) – Key threats & security considerations

In the wake of the COVID-19 pandemic, many organisations find themselves scrambling to meet the sudden spike in Virtual Private Network (VPN) traffic, as most employees are now working from home. Unfortunately, this also presents a heightened opportunity for malicious attackers to disrupt services by launching various types of attack.

According to CyBourn (specialists in threat detection and monitoring), there has been a 33% increase in the number of scans and crawlers of their clients – mainly in the retail and insurance industries – which is the first stage of an attack. This type of attacker will then usually concentrate on VPN servers and email servers. The challenge is, from an IT perspective, that many VPN and remote work servers will have been configured at the speed of light – which means mistakes happen, and major vulnerabilities unwittingly left open.

Below we look at the types of VPN, and the main types of attack to which they are likely to be exposed. We also provide guidance on the controls that can address each type of attack, and an overview of general security considerations to help protect your IT services and resources.

What is a VPN?

For those of you who do not know, VPNs add privacy and security to networks, enabling data to be transferred between two points securely. They can be established over Public and Private Networks, adding additional security to the connection, protecting the data being transferred.

Whilst VPNs add an additional layer of security over and above transferring data in the clear (without security or encryption), they can be susceptible to cyber-attacks if not configured, protected, and monitored regularly.

There are basically two types of VPN:

  • Remote Access VPN
  • Site-to-Site VPN.

Remote Access VPN

A remote-access VPN permits a user to connect to a private network and access all its services and resources remotely. The connection between the user and the private network occurs through the Internet and the connection is secure and private.

Site-to-Site VPN

A Site-to-Site VPN is commonly used to connect geo-located sites and offices. They are often used to connect networks between offices, allowing transparent and secure communication between sites.

To establish a VPN – whether it be Remote Access or Site-to-Site – there are generally four protocols commonly used. You can find a detailed description of the protocols at the end of the blog.


Common Vulnerabilities and Attack Vectors

Various attack methods are often employed to cause harm when compromising a VPN, which when initiated by cyber criminals are likely to cause disruption to services, and in some cases compromise data for malicious intent or monetary reward.

The 4 most common attacks are:

  1. DDoS Attack (Distributed Denial of Service) – A DDoS attack can be launched by various methods:
    – TCP Blend Attack
    – SSL Flooding Attack
    – SSL Regeneration Flood Attack.
  1. Session Hijacking Attack
  2. Man-In-The-Middle Attack
  3. Spoofing Attack.


DDoS – TCP Blend Attack

A TCP Blend attack typically sends a small number of TCP packets with the ‘SYN’ flag checked, then a batch of TCP packets with ‘ACK’ flag and then another set of URG packets. Sending multiple packets in this way can overwhelm network firewalls which, if compromised, will drop new connections being requested to establish VPN links. This attack is intended to cause disruption to services, rendering the VPN communication links unavailable. Sending multiple smaller packets often manages to bypass DDoS defences too (due to the volume threshold being relatively small).

Common Mitigating Controls:

  • Ensure that all hosts, firewalls, and DDoS policies are configured correctly. Most Firewalls have a “SYN defender” or “embryonic connection” feature, which if enabled will also help protect against this type of attack
  • DDoS policies should incorporate out of state packet detection and prevention
  • Setting rate limit thresholds that match the expected number of VPN connections for the business will also reduce the potential number of concurrent VPN tunnels that can be established, minimising exposure to a DDoS attack.


DDoS – SSL Flooding Attack

This attack tries to exhaust the server resources using a high volume of SSL handshake requests.

Common Mitigating Controls:

  • Stateful devices such as firewalls, VPN concentrators and Load Balancers should be monitored for TCP sessions and states. Creating a baseline and setting up alerts against these baselines will also help troubleshoot an issue during an attack.
  • Firewalls should have “concurrent connection limit,” enabled. The Session Timeout setting should also be enabled, which will reduce the frequency of session timeouts for connections without any data packets.
  • Any DDoS policy used to reduce this type of attack should be limited to a set number of connections that are allowed to be established concurrently from a given source IP address.


DDoS – SSL Renegotiation Flood Attack

 An SSL/TLS renegotiation attack exploits and compromises the processing power required to negotiate a secure TLS connection on the server-side. It sends spurious data to the server or constantly asks to renegotiate the TLS connection, thus exhausting the server’s resources.

Common Mitigating Controls:

  • Disable SSL renegotiation and disable weak Cipher Suites. Where possible use SSL offloading to external load balancers; this will reduce the load on internal Firewalls or VPN Concentrators.


Session Hijacking Attack

Cyber criminals responsible for Session Hijacking attacks exploit the client authentication process when communication is established with a server. Compromised IP addresses and sequence numbers are commonly exploited to launch an attack. In launching the attack, cyber criminals use various applications and toolsets to listen for connection requests between a client and a server.

If the server cannot distinguish between genuine and false requests, it will permit the compromised session – at which point a cyber criminal has successfully launched an attack and gained privileged access to a network.

Common Mitigating Controls:

  • The most effective method to prevent this type of attack is to make use of HTTPS Secure Servers.


Man-In-The-Middle Attack

This attack is performed by establishing a connection with an end user’s laptop/computer instead of a server. Cyber Criminals launch this attack by intercepting communications between an end-user and a server.

Common Mitigating Controls:

  • Users can reduce their exposure to this type of attack by minimising the use of public open Wi-Fi services. If a user must use these public services, it is advisable to use an application that forces the use of HTTPS.


Spoofing Attack

Spoofing attacks can be launched in many ways. The only intention of this type of attack is to capture personal and privileged information which is later used to impersonate a person and gain trust, allowing inside access to systems and services.

The more common methods used to capture information are:

  • Email spoofing
  • Website and/or URL spoofing
  • Caller ID spoofing
  • Text message spoofing
  • GPS spoofing
  • Man-in-the-middle attacks
  • Extension spoofing
  • IP spoofing
  • Facial spoofing.

Common Mitigating Controls:

  • Cryptographic keys – which are unique to each individual and used to authenticate to IT services between a client and server – are one of the most effective methods for preventing a spoofing attack. Being vigilant to unsuspected email or messages or requests for privileged data will also reduce the ability for a cyber criminal to launch this type of attack.


General Security Considerations to help protect remotely accessed IT services and resources

The following list provides generic ‘should do’ advice when establishing a security baseline:

  • Security policies and guidelines should be established to provide details and governance in the use of VPN services
  • Firewalls should be utilised to protect VPN connections
  • Intrusion Detection or Prevention Systems will provide advanced metrics about an attack
  • Anti-Virus software should be installed (and kept up-to-date) on remote clients and network servers
  • Remote client and network server operating systems/applications should be kept patched and up-to-do date
  • Where possible do not use ‘split tunnelling’ to access the internet or other unsecured network resources
  • Enable Multi-factor Authentication for VPN accounts.
  • Logging and auditing should be enabled to provide a record of unauthorised access or connection attempts
  • Sensitive systems should have unique access granted to users – with unauthenticated access disabled
  • Regular training should be provided to all users about cyber security good practices and the safe use of equipment.

In summary, good cyber hygiene is essential when preventing any type of attack, especially when working remotely. When using VPNs, we now need to be extra cautious – as we are likely to see rapid growth in attacks.


About the author

Neil Ackerley
Principal Consultant, CRMG
Industry Specialism: Government
Area of Expertise: Cyber Security Executive Management, Information Risk

VPN Definitions               

To establish a VPN (whether it be Remote Access or Site-to-Site) there are generally four protocols commonly used:

  • IPSec (Internet Protocol Security)
  • PPTP (Point to Point Tunnelling Protocol)
  • L2TP (Layer 2 Tunnelling Protocol)
  • SSL/TLS VPN (Secure Sockets Layer/Transport Layer Security – VPN).

Internet Protocol Security (IPSec)

IPSec is used to secure Internet communication across an IP network. IPSec secures Internet Protocol communications by verifying the session and encrypting each data packet.

IPSec can run in 2 modes:

  • Transport mode – encrypts the message within the data packet
  • Tunnelling mode – encrypts the entire data packet

Point–to–Point Tunnelling Protocol (PPTP) and Point to Point Protocol (PPP)

PPTP or Point-to-Point Tunnelling Protocol establishes a ‘tunnel’ between endpoints which is used to transfer data packets.

The Point-to-Point Protocol (PPP) is used to encrypt data between the connections.

Layer 2 Tunnelling Protocol (L2TP)L2TP or Layer 2 Tunnelling Protocol is a tunnelling protocol that is often combined with another VPN security protocol like IPSec to establish a highly secure VPN connection.

L2TP generates a tunnel between two L2TP connection points, the IPSec protocol encrypts the data and maintains secure communication between the tunnel.


SSL (Secure Sockets Layer) and TLS (Transport Layer Security) VPNs are established through web browsers. The web browser acts as the client with user access prohibited to specific applications. E-commerce websites commonly use the SSL and TLS protocols in establishing HTTP/S connections.