International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 5Month 2013

ISSN: 2231-2803 http://www.ijcttjournal.org Page 1191

Mitigating DoS Attack in VPN
Monika
#1
, Swati Kapoor
*2

1
Assistant Professor, Department of Computer Science & Applications, Kurukshetra University, Kurukshetra, Haryana, India
2
Department of Computer Science & Applications, Kurukshetra University, Kurukshetra, Haryana, India

Abstract VPN provides confidentiality, integrity and availability
through tunneling and encryption. Protocols used in VPN provide
various security features but it does not provide any protection
against Denial of Service (DoS) attack. DoS attacks to VPN
represent a serious threat to organizations using Internet for
communication. It also barricades the services provided by the
service providers. Malicious traffic enters into the Internet only
through the edge network. To provide a continuous VPN service, a
protection mechanism is to be added at the edge of customers
network. This paper discusses such protection mechanisms based
on filtering.

Keywords DoS, VPN
I. INTRODUCTION
With growth of internet security is becoming a topic of major
concern. Security is the most important thing when the
medium used for communication is public. To provide
security in the network we can either use firewalls or we can
build our own private network. A firewall is a specially
programmed router that sits between a site and the rest of the
network [1].Firewall is a good solution but, it is not so much
effective as compared to private network which is more secure.
Creating private networks are very costly. A technical solution
to protect data through Internet is VPN [2]. Virtual Private
Networks are public networks that simulate the behaviour of
private network. They provide security to the data by
encrypting and encapsulating the data packets. A tunnel is
created for the transfer of data. The process of creating tunnel
is known as tunneling. VPN logically constructs a
geographically dispersed LAN. The communication between
this geographically dispersed LAN can be done using Internet.
To a remote user, VPN provides all the benefits of a private
network, while corporations benefit from the low operational
costs, high security, and instant global coverage offered by it
[3][4].VPN allows remote access, authentication, integrity and
access control apart from the encryption and tunneling. VPN
provides virtualization at each and every layer of TCP/IP
model. IPSec, L2TP, PPTP, SSL/TLS are widely used VPN
technologies. MPLS VPNs are also very popular these days.
VPNs may be implemented by a large variety of technologies,
ranging from dial lines to ATM or MPLS links, using multiple
mechanisms to support data security as well as some level of
QoS guarantees [5].
L2TP and PPTP are data link layer protocols, also known as
layer 2 VPN protocols. The Point-to-Point Tunneling Protocol
(PPTP) is a protocol that allows Point-to-Point Protocol (PPP)
connections to be tunneled through an IP network, creating a
Virtual Private Network (VPN) [6]. Layer two VPN protocols
encapsulate data in PPP frames and are capable of
transmitting non-IP protocols over an IP network. IPSec is
implemented at the IP layer, so it affects all layers above it, in
particular TCP and UDP. IPSec is designed to provide
interoperable, high quality, cryptographically-based security
for IPv4 and IPv6. An SSL VPN consists of one or more VPN
devices to which users connect using their Web browsers. The
traffic between the Web browser and the SSL VPN device is
encrypted with the SSL protocol or its successor, the
Transport Layer Security (TLS) protocol. Current VPN
technology permits using the public Internet or any IP
(Internet Protocol) network as if it were a private leased line
between end-points, providing secure access to all private
resources [7]. Although VPNs provide security but still there
are chances of several attacks. Active attacks Denial of
Service attack also known as Availability attack is one of the
major attack to the VPN. The section 2 of paper describes the
role of VPN in network security with the help of simulation
over OPNET IT GURU. Section 3 of paper describes how the
filtering at the subscribers edge can prevent DoS attack. Ping
attack an example of DoS attack is simulated over OPNET IT
GURU to check the performance after applying filtering at the
subscribers edge router.
II. ROLE OF VPNS IN NETWORK SECURITY
To secure the network from external attacks firewalls are a
good solution, but the problem with firewalls is that they
discard all the packets including useful packet. For example if
a employee sitting in companys office wants to communicate
with server locating at different location, then due to the
firewalls filtering rule to filter out all the database traffic
coming to server employee will never be able to send and
receive data from server. To solve this problem VPNs are
used. The firewall will prevent all the traffic coming to server
except the traffic coming from VPN site. To analyze how the
performance of network will be affected when VPN is built
three scenarios were created in OPNET IT GURU Academic
Edition. Figure 1 shows the VPN scenario in which VPN is
created between LAN2 and the Server. The Second scenario
was without VPN and firewall and the third one with firewall
only. Firewall was configured in both Scenario 1 and Scenario
3 to block database traffic.
International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 5Month 2013

ISSN: 2231-2803 http://www.ijcttjournal.org Page 1192


Fig. 1 VPN over WAN

The simulated results shown below in Figure 2 and Figure 3
shows that VPN allowed traffic only from the authenticate
users while firewall blocked all the traffic and in the third
scenario that was without VPN and firewall all the traffic from
LAN1 was going to the server.


Traffic received
(pkts/sec) Simulation time (minutes)

Fig. 2 Database Traffic received (packets/sec)



Traffic received
(pkts/sec) Simulation time( 30 min)

Fig. 3 Database Traffic received (packets/sec)


VPN provides security by not allowing traffic from the
unauthorized user as shown in Figure 2 & 3, but due to VPN
response time increases which means performance
degradation. The Figure 4 shown below describes how the
http response time increases with the addition of VPN in the
network. The line marked with no. 1 shows the http response
time of VPN with firewall, line marked with no. 2 shows
without VPN response time and line marked with 3 shows
response time with firewall. So, taking the advantage of delay
due to tunnel attacker can easily flood the network or can
create congestion in the network.


Response Time
(Seconds) Simulation time (minutes)
Fig. 4 HTTP page response time (seconds)




International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 5Month 2013

ISSN: 2231-2803 http://www.ijcttjournal.org Page 1193

III. METHOD TO PREVENT DOS ATTACK IN VPN
Although VPN provides security by tunneling, authentication,
encryption, and integrity but still there are chances of various
attack from the external network. Table 1 given below
describes various attacks on VPN and their countermeasures.

TABLE I
Threats posed to VPN and their Countermeasures
Threat Countermeasures
Intrusion Controlling the ingress points into the VPN.
Block all illegitimate data traffic from
unauthorized users using firewalls.
Virus/Mal
ware
Infections
Use antivirus at the client side and at the network
servers.
Split-
Tunneling
Split tunneling itself does not cause any attack but
it give opportunity to attackers on the shared
network to gain access over internal network.
Host-based firewall can be useful in this case to
prevent network-based attacks.
User-
Credential
related
threats
Two-factor or three-factor authentication
mechanisms can be used to authenticate users at
the remote end of the VPN connection.

Apart from these threats the major threat to VPN is denial of
service attack. In a denial-of-service (DoS) attack, an attacker
attempts to prevent legitimate users from accessing information
or services [8]. Denial of service (DoS) lowers anonymity as
messages need to get retransmitted to be delivered, presenting
more opportunities for attack [9]. DoS attack can be either
Protocol based or Infrastructure based. Infrastructure based
attacks are again of two types. They are bandwidth attack and
resource depletion attack [10], [11]. Traditional DoS attacks
are flooding based attacks which fill the network with the
unwanted messages or packets. The low-rate attacks are
harder to detect than the flooding based DoS attacks because
of their low average attack rate and various attack patterns
[12]. The DoS attacks directed at network infrastructure can
have a serious impact on the overall operation of the Internet
and hence the VPN [13].
To understand how attack occurs let us assume that if a
company has its branches in 3 countries and the employees of
two countries are allowed to access all the services from the
server while the employees of third branch have limited
access to the server. All the employees in third branch are
allowed different services depending on their designation. So
if the employee from the third branch known as attacker who
is not allowed to access any information from the server tries
to ping all the workstations in that branch to create internal
traffic and manage all those workstations to ping the server
located in other branch as shown in Figure 5. So the main aim
of attacker is not to access the internal information at the
server but to only create traffic in the network. To prevent this,
a technique known as filtering at the router is implemented.
IV. PROPOSED STRATEGY

To protect the network from the outsiders attack the first step
is obviously to filter the traffic coming to or going from the
network. The filtering rule can be of various types. Examples
are source based filtering, ingress filtering and egress filtering.
All these filtering mechanisms have their own advantages and
disadvantages. Ingress filtering is helpful in preventing forge
source addresses. While in egress filtering there is a chance of
spoofed packet address. So, first step is to do filtering.
A. Filtering at the Edge Router of the network
If filtering is done at the router then we can prevent the
unauthorized person to access our secure network. So in our
strategy we used extended access control list attribute of the
router to do filtering. With the help of extended ACL we can
permit or deny the traffic coming or leaving the network based
on source, destination and protocols. So, in order to protect
SiteB from the external network having attacker we imposed
filtering rule on RouterA that no traffic is allowed to pass
from the RouterA destined to another network which are
secure eg. to SiteB or LAN1 as shown in figure5.
B. Network Topology
This section describes the network topology used. In this
network a scenario is created on a world map using OPNET
IT GURU. The topology contains 6 Ethernet workstations
connected via ehternet16 switch to the RouterA
(Ethernet4_slip8 gateway) forming a network. RouterA in turn
is connected to the Internet. RouterB connected to SalesB
(Ethernet workstation). LAN1 is connected to Internet with
the RouterE. All the workstations (except Attacker) and LAN
are assigned Sales Person profile. So they can access Database,
HTTP web browsing and Email. Server is shielded with
Firewall (Ethernet_Slip8 Firewall). VPN is created between
LAN1-Server and between SalesB-Server. Firewall is
designed to drop all the database traffic, so that only SalesB
and LAN1 can access the database traffic. Attacker node is
not assigned any profile. And ping attack (a type of DoS
attack) is simulated.
The Attacker node is designed to send ip ping traffic to other
workstations connected to switch, these workstations and
Attacker in turn will send ip ping traffic to salesB. This
created so many requests & replies packets in the network
which affects the network performance and increases the
Email download, download time, HTTP page response time
and servers HTTP load. Two scenarios are used
Scenario1: withAttack_VPN (as shown in Figure 5)
Scenario2: withFiltering_Router (same as Figure 5 with
additional extended access control list implemented at Routers
A, B, E)
International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 5Month 2013

ISSN: 2231-2803 http://www.ijcttjournal.org Page 1194




Fig. 5 Virtual Private Network scenario with ping attack (Scenario 1)

In the first scenario only ping attack is done on the network.
In the Second scenario, routers were assigned access control
list to filter the traffic.
C. Results and Discussion
1) Traffic Dropped: In the first scenario that is
withAttack_VPN traffic dropped is null because the
router in this scenario is designed to pass all the traffic so
drop is 0. But due to the extended ACL so much traffic is
dropped at RouterA as shown in Fig. 6.

Traffic Dropped
(pkts/sec) Simulation Time (minutes)

Fig. 6 Traffic Drop at RouterA
2) Response Time: In first scenario when there was attack in
the network and there was no filtering mechanism http
page response time approaches to 0.125 seconds (approx).
While in second scenario page response time at its peak is
0.111 second (approx). As shown in Figure 7. Similar is
the case with Email download response time it is less in
second scenario. At its peak in the second scenario
response time was only 0.135 sec while in first scenario it
is 0.178 sec as shown in figure 8.

Response Time
(sec) Simulation Time (min)

Fig. 7 HTTP page respone time


Response Time
(sec) Simulation Time(minutes)

Fig. 8 Email Download Response Time

3) Firewall Processing Delay: As shown in fig. 9 firewall
processing delay is more in first scenario because firewall
International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 5Month 2013

ISSN: 2231-2803 http://www.ijcttjournal.org Page 1195

has to filter all the traffic while in second scenario it is
less.


Delay (seconds)
Simulation Time (minutes)

Fig. 9 Processing Delay at firewall

V. CONCLUSION AND FUTURE SCOPE
Although VPN is very secure network it provides security to
the remote client to access server located at different location
but, still VPN suffers from various attacks. DoS attack is
harmful attack for the network. To prevent network from the
DoS attack filtering scheme can be imposed at the edge of the
network so that, packets can be dropped at the edge. Filtering
at the edge router of subscriber seems to be good idea because
we can prevent traffic to enter in the VPN tunnel. But filtering
also filters the traffic which is necessary. So filtering can
reduce congestion in the network and can prevent DoS attack
but to avoid dropping of important data we need to develop a
technique in near future.


REFERENCES
[1] Aruna Malik, Harsh K Verma, Raju Pal, (2012) Impact of Firewall and
VPN for securing WLAN, International Journal of Advanced Research
in Computer Science and Software Engineering, vol. 2, Issue 5, pp. 407-
410.
[2] Olalekan Adeyinka, (2008) Analysis of problems associated with IPSec
VPN Technology, Electrical and Computer Engineering, CCECE, pp
1903-1908.
[3] Shashank Khanvilkar and Ashfaq Khokhar, (2004) Virtual Private
Networks: An Overview with Performance Evaluation
Communications Magazine, IEEE , vol.42, no.10, pp.146,154.
[4] C. J . C. Pena and J . Evans, (2000) Performance Evaluation of Software
Virtual Private Networks (VPN), Proc. 25
th
Annual IEEE Conf. Local
Comp. Networks, pp. 52223.
[5] Lus Henrique M. K. Costa, Serge Fdida, Otto Carlos M. B. Duarte,
(2000) An Introduction to Virtual Private Networks: Towards D-
VPNs, Networking and Information System Journal, vol. 3 no. 4, pp. 1-
20.
[6] Bruce Schneier, (1999) Cryptanalysis of Microsoft's PPTP
Authentication Extensions (MS-CHAPv2), CQRE '99, Springer-
Verlag, pp. 192-203.
[7] (2006), NeoAccel SSL VPN-Plus-The Future of Virtual Private
Networks, NeoAccel White Paper
[8] S S Nagamuthu Krishnan, V Saravanan, (2010), Defending Denial of
Service: State Overload Attacks, Int. J. Advanced Networking and
Applications, vol. 2, issue 3, pp. 719-722.
[9] Nikita Borisov, George Danezis, Prateek Mittal, Parisa Tabriz, (2007)
Denial of Service or Denial of Security? How Attacks on Reliability
can Compromise Anonymity Proc. 14
th
ACM Conference on
Computer & communications security, pp. 92-102.
[10] Peng.T., Leckie.C. & Ramamohanarao. K., (2007) Survey of network-
based defense mechanisms countering the DoS and DDoS problems,
ACM Comput. pp 39-42.
[11] Michael Glenn, (2003) A Summary of DoS/DDoS Prevention,
Monitoring and Mitigation Techniques in a Service Provider
Environment, SANS Institute, GSEC Practical Version 1.4b.
[12] Xiapu Luo, Edmond W. W. Chan, RockyK.C.Chang, (2009) Detecting
Pulsing Denial-of-Service Attacks with Nondeterministic Attack
Intervals, EURASIP Journal on Advances in Signal Processing, pp. 1-
13.
[13] S. saraswathi, P. Yogesh, (2012) Mitigating Strategy to shield the VPN
Service from DoS attack, International J ournal on Cryptography and
Information Security, vol. 2, no. 2, pp. 53-63.