Executive Interview: ‘The Pandemic Has Fueled the Growth of Accessible OpenVPN Servers’

Photo Corero CTO Ashley Stephenson
Corero CTO Ashley Stephenson

Corero Network Security, a provider of real-time DDoS defense technologies, recently published their annual DDoS Threat Intelligence Report. Co-author of the report is Corero CTO Ashley Stephenson. HostingJournalist sat down with him to have a talk about the report containing trends, observations, predictions, and recommendations based on DDoS attacks against Corero clients.

What were the most important things to be read in the Corero report?

“The seemingly never-ending list of legitimate Internet accessible services that are vulnerable to exploitation as DDoS vectors. For decades software developers have been creating web-based programs ranging from essential networking infrastructure services to helpful utilities. Many of these have no protection against DDoS exploitation. The number of instances of these potential DDoS attack cohorts have rocketed into the billions with the advent of IoT. The outlook for the risk of DDoS is not improving.”

What are the causes of OpenVPN reflections popping up as an attack vector?

“The increase in frequency of the use of a specific DDoS vector usually results from several contributing factors including:

  • Knowledge of the vulnerability amongst the cybercriminal community. (i.e. the OpenVPN server protocol can be used as a DDoS amplifier – one packet in, many packets out).
  • Large number of vulnerable and accessible servers on the Internet (at least 100,000s).
  • Potential boosters to the potency of the vulnerability such as: exploitable servers with high speed connectivity or capacity; default configurations that increase amplification, et cetera.
  • Incorporation and automation of the exploit into darkweb booter or stresser services.”

“The OpenVPN vector meets most if not all of these criteria.”

Why specifically now, at this moment?

“It is always ‘now’ for the latest new DDoS vector. There will be another new vector next quarter, and the quarter after. It is potentially significant that the pandemic has continued to fuel the growth in the number of accessible OpenVPN servers. During the past year we observed more than 10,000 new servers added per month. Each one a potential DDoS amplifier.”

Why would it be bad news for the DDoS victim?

“All DDoS is bad for the victim if they are not adequately protected with a DDoS detection and mitigation solution. OpenVPN may be a particularly potent as it uses a well-known port that is often left open in simple firewalling allowing the DDoS to progress into poorly defended networks.”

Why would it be bad news for the organization whose OpenVPN infrastructure is being used to launch the DDoS attack?

“An organization’s OpenVPN server is usually sized to cope with the processing demand from legitimate user sessions. For example, supporting 100 remote employees. Similarly, the organization’s Internet link will be appropriate for the number of simultaneous users connected to their VPN service. During a DDoS attack, an organization’s vulnerable OpenVPN server may be called upon to process 1000s of spoofed requests that could be amplified to 10,000s of malicious responses (DDoS).”

“This abuse of the OpenVPN server can overload both its processing capability and the outbound link capacity resulting in degraded service to legitimate users or even an outage of the organization’s OpenVPN server. It is not unusual to see 10,000s OpenVPN servers participating in a DDoS attack meaning that this collateral damage scenario could be simultaneously playing out at 10,000 organizations around the world.”

From Corero’s recent report it appears that DDoS threats are growing in sophistication, size, and frequency. What does it mean for DDoS mitigation?

“Corresponding improvements and advances are required in the battle defense against DDoS, both in security technology and security practices.”

– story continues below the photo –

Corero Network Security

What DDoS attack trends do you see for 2021/2022 and beyond?

“For the past decade, DDoS activity has grown in lock step with Internet growth. For the foreseeable future, as long as the Internet keeps growing in size, speed and scope then the DDoS threat will grow with it.”

The COVID 19 pandemic has bolstered the migration of (parts of) IT infrastructure to the cloud. What does it mean for DDoS attack risks and mitigation requirements?

“The associated increases in the number of cloud server instances and the connected speed of the services they offer contributes to the potential supply of DDoS attack cohorts and potential victims. This increases the likelihood that DDoS will remain in the top-5 cybersecurity threats facing organizations.”

What lessons can be learned by the hosting and data center industry, based on Corero’s recent market study?

“DDoS is a growing threat to all Internet connected businesses. It is a well understood security and availability risk that can be mitigated with the right selection of DDoS products, services and security practices.”

In what way can hosting and cloud providers benefit from the solutions delivered by Corero?

“There are two main value propositions associated with a provider’s investment in a DDoS solution. The provider gains infrastructure protection against malicious DDoS activity, preventing outages and improving customer service. Reliability, security and quality are becoming a key competitive differentiators for hosting and cloud providers. Secondly, the provider can offer an additional revenue generating service on a per tenant basis in the form of individualized DDoS monitoring and protection for their customers.”

About Corero Network Security

Corero is a global provider of real-time, high-performance, automatic DDoS cyber defense solutions. Service and hosting providers, alongside digital enterprises across the globe rely on Corero’s cybersecurity technology to eliminate the threat of Distributed Denial of Service (DDoS) to their digital environment through automatic attack protection, coupled with network visibility, analytics, and reporting. Corero’s key operational centers are located in Marlborough, Massachusetts, USA and Edinburgh, UK, with the Company’s headquartered in Amersham, UK. Corero is listed on the London Stock Exchange’s AIM market.

To learn more about Corero, visit their website here.