Can you DDoS a VPN server?

[wtfvanity]

I'm not looking to do anything illegal.

Can a VPN service like say the one provided by Private Internet Access be DDoS attacked? If the only port they have opened on a server is an OpenVPN port, no http, mail, or anything else, can it be DDoSed? Would this make it so their customers could not connect to the VPN and utilize the service?

If I wanted to try it in person, set up my own VPN server and DDoS it, are there simple legitimate DDoS services or methods or are they all black market?

MODs feel free to move this if I screwed up where I should put this.

[1714996183]

1714996183

[1714996183]

1714996183

[sega01]

These are good questions and you asked them humbly. I hope this is a good response.

Can a VPN service like say the one provided by Private Internet Access. If the only port they have opened on a server is an OpenVPN port, no http, mail, or anything else, can it be DDoSed?

Yes, absolutely. So I'll start with the literal meanings and go into the technicalities.

DoS = Denial of Service
DDoS = Distributed Denial of Service

So a DoS usually comes from one source, or is really small. DDoS is likely to come from a botnet and be rather large, at least in term usage.

A DoS attack can be very simple, or more complicated. If you want to "deny service" from a service, you usually have to keep it from giving service. That could mean simply disconnecting a cable. Or making so many fake orders on a website that there's nothing else in stock, in which case there's no more service which people can take.

More commonly, a DoS can be a network flood enough to saturate the link. If their connection can only handle 10MB/s of traffic and you flood them with 10+MB/s of traffic, not much else is going to get through. Any services, OpenVPN, SMTP/email, HTTP, all depend on the network link on the server to serve traffic. The firewall on the server itself pretty much can do nothing other than drop traffic for ports already open (or move traffic around in silly ways if needed). But it won't stop traffic from hitting the interface. You can send UDP traffic or even a completely different layer 4 altogether, and it'll probably get to the host and have an effect, at least in terms of network saturation.

More efficiently in terms of bandwidth, you can do HTTP benchmarks. If the webserver/web code is slow or particularly misconfigured, that alone will make a website mostly unavailable. If the service is over TCP at all (I think OpenVPN can do TCP and/or UDP), a TCP syn flood is possible.

So you really have to look at network saturation, application saturation, service saturation, and server saturation. If any of those are "saturated", it can  be a successful denial of service.

If I wanted to try it in person, set up my own VPN server and DDoS it, are there simple legitimate DDoS services or methods or are they all black market?

Kind of iffy. You may have issues with hosting providers on both ends. Most hosting providers don't like their network being needlessly flooded. For a DoS from a single source (or multiple, if you have several VPSs), you can try hping3. I have seen one DDoS-as-a-service website, and maybe there are some "legitimate" ones, but that is still questionable. You can search for them and try them if you like. Your best option is to test it out locally. If you can get three machines and a switch, you can set the server to negotiate to 10Mbit/s (to make it easier) on the ethernet link, have the attacking machine flood the server, and see what happens when the real client tries to reach it.

You can also do that in a VM environment, all on your desktop. Of course, it's not entirely as realistic due to certain factors, but may be enough of a test. And keep in mind, DoS on a switch is much harder than over a router. Routers are so much slower than switches in terms of packet-per-second performance. They are often the bottle neck in many cases.

If you want a good DDoS service to do a real world test (which is a bad idea), you can try the black market sites on Tor.

I hope this helps a bit! Let me know if you have any more questions about this.

Sincerely,
Teran

[wtfvanity]

These are good questions and you asked them humbly. I hope this is a good response.

Can a VPN service like say the one provided by Private Internet Access. If the only port they have opened on a server is an OpenVPN port, no http, mail, or anything else, can it be DDoSed?

Yes, absolutely. So I'll start with the literal meanings and go into the technicalities.

DoS = Denial of Service
DDoS = Distributed Denial of Service

So a DoS usually comes from one source, or is really small. DDoS is likely to come from a botnet and be rather large, at least in term usage.

A DoS attack can be very simple, or more complicated. If you want to "deny service" from a service, you usually have to keep it from giving service. That could mean simply disconnecting a cable. Or making so many fake orders on a website that there's nothing else in stock, in which case there's no more service which people can take.

More commonly, a DoS can be a network flood enough to saturate the link. If their connection can only handle 10MB/s of traffic and you flood them with 10+MB/s of traffic, not much else is going to get through. Any services, OpenVPN, SMTP/email, HTTP, all depend on the network link on the server to serve traffic. The firewall on the server itself pretty much can do nothing other than drop traffic for ports already open (or move traffic around in silly ways if needed). But it won't stop traffic from hitting the interface. You can send UDP traffic or even a completely different layer 4 altogether, and it'll probably get to the host and have an effect, at least in terms of network saturation.

More efficiently in terms of bandwidth, you can do HTTP benchmarks. If the webserver/web code is slow or particularly misconfigured, that alone will make a website mostly unavailable. If the service is over TCP at all (I think OpenVPN can do TCP and/or UDP), a TCP syn flood is possible.

So you really have to look at network saturation, application saturation, service saturation, and server saturation. If any of those are "saturated", it can  be a successful denial of service.

If I wanted to try it in person, set up my own VPN server and DDoS it, are there simple legitimate DDoS services or methods or are they all black market?

Kind of iffy. You may have issues with hosting providers on both ends. Most hosting providers don't like their network being needlessly flooded. For a DoS from a single source (or multiple, if you have several VPSs), you can try hping3. I have seen one DDoS-as-a-service website, and maybe there are some "legitimate" ones, but that is still questionable. You can search for them and try them if you like. Your best option is to test it out locally. If you can get three machines and a switch, you can set the server to negotiate to 10Mbit/s (to make it easier) on the ethernet link, have the attacking machine flood the server, and see what happens when the real client tries to reach it.

You can also do that in a VM environment, all on your desktop. Of course, it's not entirely as realistic due to certain factors, but may be enough of a test. And keep in mind, DoS on a switch is much harder than over a router. Routers are so much slower than switches in terms of packet-per-second performance. They are often the bottle neck in many cases.

If you want a good DDoS service to do a real world test (which is a bad idea), you can try the black market sites on Tor.

I hope this helps a bit! Let me know if you have any more questions about this.

Sincerely,
Teran

I appreciate the response. I've do understand the basics of DoS and DDoS.

Let me ask specifically in the example though for either one.

DoS. I have an OpenVPN set for UDP only. I require a password and a SSL certificate. If I got a little 10 meg connection VPS to test this, can I use hping3 to flood 100 megs of data towards that UDP port? Because I won't actually be authenticating, an attacker wouldn't have that data.

Then a DDoS, would be more along the lines of a bunch of people doing that same thing? So, I can test a DoS at it for now. How can I point some thick bandwidth at a VPS server running open VPN and the only port open on it would be the UDP?

[sega01]

DoS. I have an OpenVPN set for UDP only. I require a password and a SSL certificate. If I got a little 10 meg connection VPS to test this, can I use hping3 to flood 100 megs of data towards that UDP port? Because I won't actually be authenticating, an attacker wouldn't have that data.

Then a DDoS, would be more along the lines of a bunch of people doing that same thing? So, I can test a DoS at it for now. How can I point some thick bandwidth at a VPS server running open VPN and the only port open on it would be the UDP?

The VPS is running OpenVPN and on the 10Mbit/s line, correct? You should be able to. The authentication shouldn't matter at all. No reason to try to authenticate unless the authentication process is so slow it's more efficient to make the server come to a crawl by sending it real authentication requests. You don't have to send it to the particular port. Any traffic, TCP/UDP, to any port, sent to that IP *should* make it there.

That's right, a DDoS could be this many times over from multiple machines. You may be able to find an account on a seedbox or another VPS or two to send the attack. I'd give hping3 a try disabling wait times between packets and with 1500 byte (total) packets. UDP, TCP, shouldn't matter. Note that sending an attack from the box may render the attacker unreachable. A script which kills itself after 10 seconds might be good to get back into it, in case that happens.

Sincerely,
Teran

[wtfvanity]

The VPS is running OpenVPN and on the 10Mbit/s line, correct? You should be able to. The authentication shouldn't matter at all. No reason to try to authenticate unless the authentication process is so slow it's more efficient to make the server come to a crawl by sending it real authentication requests. You don't have to send it to the particular port. Any traffic, TCP/UDP, to any port, sent to that IP *should* make it there.

That's right, a DDoS could be this many times over from multiple machines. You may be able to find an account on a seedbox or another VPS or two to send the attack. I'd give hping3 a try disabling wait times between packets and with 1500 byte (total) packets. UDP, TCP, shouldn't matter. Note that sending an attack from the box may render the attacker unreachable. A script which kills itself after 10 seconds might be good to get back into it, in case that happens.

Sincerely,
Teran

I'm going to give it a shot. Thanks for the input. So even if the iptables only allows the connection on the UDP, I can still send it port 80 traffic and take it to its knees?

[sega01]

I'm going to give it a shot. Thanks for the input. So even if the iptables only allows the connection on the UDP, I can still send it port 80 traffic and take it to its knees?

No problem! That's right. Or the server itself may be fine, but the limit between the Internet and server is the bottleneck. Once it's saturated, nothing can reach the server, whether or not it's working otherwise.

[wtfvanity]

Thanks a bunch for your help. Learned some great stuff now I'm going to go test it out. 10 Mbps vps should be easy to test the concept. Thanks a bunch.

[keatonatron]

A lot of people think if you set the server or switch to ignore a certain type of packet that will eliminate the problem--but it doesn't, because someone still has to look at every single packet and decide if it needs to be ignored or not. So even if you set the switch to disregard one type of packet, those packets won't make it to your server and your server will have an easy time handling what information it does get--but the switch will be so busy checking and then throwing away the bad packets that legitimate packets will take a while to get through.

[nwbitcoin]

Anything can be DDoS'ed.

Its the simplest way to 'hack' any computer system - just overload it with data.

Preventing DDos attacks are a different ball game - The best way I'm aware of is to have some hardware that can deal with the packets far faster than your standard ethernet card, and to take the action away from the server being attacked.  Then you sort the real data from the multiple nonsense data, and throttle the remains to the server at a controlled rate.

What has happened in recent years is that now a DD0S attack is designed to just effect one service or port rather than take a whole server down - and they are really effective when you are dealing against a non hardened server.

[MysteryMiner]

OpenVPN can be easily overloaded with bogus handshakes. They are CPU-intensive. Or as people already told - brutally saturate the link. There are various bots available each with different ways of flooding - from ping flooding to intelligent exploitation how particular protocol or server operates.

VPN is for preserving data secrecy sent over insecure link, not for DDoS protection.

[wtfvanity]

OpenVPN can be easily overloaded with bogus handshakes. They are CPU-intensive. Or as people already told - brutally saturate the link. There are various bots available each with different ways of flooding - from ping flooding to intelligent exploitation how particular protocol or server operates.

VPN is for preserving data secrecy sent over insecure link, not for DDoS protection.

I'm not using this for DDoS protection mystery miner.

I did try it with a 10 meg link on a VPS and a 100 meg link dedicated server single connection easily saturated it. Thank you everyone, especially sega01.