Page 1 of 1

Stability against attacks

Posted: Tue Nov 06, 2018 10:54 am
by andreasm82
At the moment, I see a lot of attacks on industrial routers with installed Openvpn Server 2.3.18.

E.g. there are 100 new incoming Openvpn requests in a short time. Then the router gets a very high load and restarts by itself (watchdog). In other words, it is a DoS attack.

What I would like to suggest is a more stable openvpn and a limit of connections. If the amount of incoming connections is too high, it should block for some seconds and wait until it is stable again. But in this case, it is also not possible anymore to connect for users. So it is not an ideal solution.
Do you have any other ideas?

This is an extract of a attack (last 3 digits of IP are masked out):
..........
Tue Nov 6 05:17:03 2018 209.206.45.xxx:60144 SIGUSR1[soft,tls-error] received, client-instance restarting
Tue Nov 6 05:17:04 2018 209.206.45.xxx:60144 TLS: Initial packet from [AF_INET]209.206.45.xxx:60144, sid=6a22eb44 5adb63fe
Tue Nov 6 05:18:04 2018 209.206.45.xxx:60144 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Nov 6 05:18:04 2018 209.206.45.xxx:60144 TLS Error: TLS handshake failed
Tue Nov 6 05:18:04 2018 209.206.45.xx:60144 SIGUSR1[soft,tls-error] received, client-instance restarting
Tue Nov 6 05:18:04 2018 209.206.45.xxx:60144 TLS: Initial packet from [AF_INET]209.206.45.xxx:60144, sid=6a22eb44 5adb63fe
Tue Nov 6 05:19:04 2018 209.206.45.xxx:60144 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Nov 6 05:19:04 2018 209.206.45.xxx:60144 TLS Error: TLS handshake failed
..............


System details:
Tue Nov 6 12:32:06 2018 OpenVPN 2.3.18 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 11 2017
Tue Nov 6 12:32:06 2018 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.06



Greets, Andreas

Re: Stability against attacks

Posted: Tue Nov 06, 2018 12:47 pm
by TinCanTech
Why do you think this is an "attack" ?

Re: Stability against attacks

Posted: Tue Nov 06, 2018 12:50 pm
by andreasm82
I know it. The connections are to 20...30 routers at the same time and they are from USA. We don't have VPN connections from USA.
Normally only 2...4 users connect to a VPN device. In this case, there are >100 connections in a short time.

Re: Stability against attacks

Posted: Tue Nov 06, 2018 8:46 pm
by TinCanTech
Try using the advanced TLS options. f.e. --tls-auth

Re: Stability against attacks

Posted: Wed Nov 07, 2018 7:00 am
by andreasm82
No that doesn't help. The router / openvpn restarts if there are too many incoming requests. So it doesn't matter if a password is used or not - this happens later in the process.

Another attack from this morning also leads to a restart:

.........
Wed Nov 7 04:02:38 2018 200.6.39.xxx:31588 SIGUSR1[soft,ping-restart] received, client-instance restarting
Wed Nov 7 04:02:40 2018 200.6.39.xxx:36498 TLS: Initial packet from [AF_INET]200.6.39.213:36498, sid=6a22eb44 5adb63fe
Wed Nov 7 04:02:42 2018 200.6.39.xxx:50087 TLS: Initial packet from [AF_INET]200.6.39.213:50087, sid=6a22eb44 5adb63fe
Wed Nov 7 04:02:44 2018 200.6.39.xxx:33294 TLS: Initial packet from [AF_INET]200.6.39.213:33294, sid=6a22eb44 5adb63fe
Wed Nov 7 04:02:47 2018 200.6.39.xxx:54953 TLS: Initial packet from [AF_INET]200.6.39.213:54953, sid=6a22eb44 5adb63fe
Wed Nov 7 04:02:49 2018 200.6.39.xxx:11328 TLS: Initial packet from [AF_INET]200.6.39.213:11328, sid=6a22eb44 5adb63fe
Wed Nov 7 04:02:51 2018 200.6.39.xxx:63719 TLS: Initial packet from [AF_INET]200.6.39.213:63719, sid=6a22eb44 5adb63fe
Wed Nov 7 04:02:52 2018 200.6.39.xxx:28501 TLS: Initial packet from [AF_INET]200.6.39.213:28501, sid=6a22eb44 5adb63fe
Wed Nov 7 04:02:52 2018 200.6.39.xxx:29893 TLS: Initial packet from [AF_INET]200.6.39.213:29893, sid=6a22eb44 5adb63fe
Wed Nov 7 04:02:52 2018 200.6.39.xxx:37236 TLS: Initial packet from [AF_INET]200.6.39.213:37236, sid=6a22eb44 5adb63fe
Wed Nov 7 04:02:52 2018 200.6.39.xxx:27364 TLS: Initial packet from [AF_INET]200.6.39.213:27364, sid=6a22eb44 5adb63fe
Wed Nov 7 04:02:52 2018 200.6.39.xxx:33359 TLS: Initial packet from [AF_INET]200.6.39.213:33359, sid=6a22eb44 5adb63fe
Wed Nov 7 04:02:52 2018 200.6.39.xxx:15544 TLS: Initial packet from [AF_INET]200.6.39.213:15544, sid=6a22eb44 5adb63fe
..........

Re: Stability against attacks

Posted: Wed Nov 07, 2018 10:13 am
by TinCanTech
--tls-auth will not stop the "attack" but it will drop the connection much earlier than without it.

Re: Stability against attacks

Posted: Thu Nov 15, 2018 8:59 am
by andreasm82
I checked this option and it seems to be very important. So I wonder why it is not used by default.

Features of TLS-auth:

DoS attacks or port flooding on the OpenVPN UDP port.
Port scanning to determine which server UDP ports are in a listening state.
Buffer overflow vulnerabilities in the SSL/TLS implementation.
SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).

https://openvpn.net/community-resources/how-to/


n the server configuration, add:

tls-auth ta.key 0

In the client configuration, add:

tls-auth ta.key 1

What happens if I change key direction? Server = 1 and client 0. Is it still save or does the client get the key from server ?

Re: Stability against attacks

Posted: Thu Nov 15, 2018 1:13 pm
by TinCanTech
It is simply conventional to have the server as 0 and the client as 1 but it works the opposite way as well.