Covid-19 and the lockdown has dramatically increased the use of Virtual Private Networks (VPNs). At the beginning of 2020 most organisations would have had the majority of users connecting to the network locally, and just a handful of remote workers connecting via a VPN. Since March 23th that dynamic has changed, with the majority of users now relying on remote connectivity for work.
This has naturally come with a few challenges. Connectivity issues are common when a user doesn’t have enough bandwidth. But this can often be resolved by ensuring that other people sharing the home WiFi are not on Netflix or House Party while a remote worker is trying to work!
The biggest challenge is security and specifically Distributed Denial of Service (DDoS) attacks. VPNs are easy targets and multiple users accessing the network via VPNs dramatically increases the surface area for these attacks.
What is a Distributed Denial of Service (DDoS) attack?
DDoS attacks take advantage of network capacity limits and will send multiple requests to a network resource with the aim of exceeding its capacity to handle multiple requests. As a result it overloads the system and prevents the network resource from functioning properly.
Typically, attackers target website resources with the goal of a ‘total denial of service’ so that the victim’s website won’t function. This may be for the purpose of demanding payment to stop the attack, to discredit a company or as a smoke screen to steal sensitive data. Targets are often online businesses like ecommerce retailers, IT and telecom companies, financial service providers and banks, and government organisations.
The financial consequences of an attack vary depending on the size of business and the network resource attacked. A DDoS on an ecommerce website will cost the business in lost sales, remediation and potentially any payments to stop the attack.
Why are Virtual Private Networks (VPNs) vulnerable?
While hackers generally target website infrastructure, the Covid-19 pandemic and widespread remote working has presented them with another opportunity. There has been a significant increase in malicious attackers launching DDoS attacks on VPN infrastructure at a time when they know the impact will be most felt.
Even low volume attacks can overwhelm VPN concentrators and firewalls, and low volumes are likely to go undetected by DDoS defences – as they don’t get triggered. Secure Socket Layer (SSL) VPNs are also vulnerable to SSL floods, where they are unable to handle high volume of SSL handshake requests. Randomised UDP floods or IKE floods are also an issue. Internet Key Exchange (IKE) is used by IPSec VPNs for authentication and encryption handshaking.
What can you do to secure your network?
As your remote VPN applications and concentrators may be old and previously only used as gap-filling IT infrastructure for a small number of remote users, you may not have optimised DDoS protection for your VPN or have tested your VPN infrastructure against this type of attack.
To identify threats and attacks your cyber security tools need to know what normal looks like, and VPN traffic currently looks very abnormal compared to what it looked like at the beginning of the year.
Monitoring and alerting are therefore essential to initially build a picture of what’s normal behaviour, and for real-time visibility on what’s happening on your network. With this information you can fine-tune DDoS policies to ensure attacks are identified in real-time.
To help address this challenge our recently launched cloud based Virtual SOC service now extends visibility beyond the perimeter to include VPN activity. This new feature will enable vulnerable businesses to quickly and cost effectively address the significant risks faced through the increase in VPN activity.
In response to Covid-19 and the increase in remote working, we are also offering customers a free Cyber Security Health Check. For further details please visit this webpage or contact us directly to find out more.