Menu
▾
▴
[Astlinux-users] OpenVPN TLS Resource Exhaustion Event
|
From: Michael K. <mic...@ip...> - 2025-08-08 03:39:32
|
Hi All We run pretty low memory on our hosted Astlinux systems with about 100M available and today we experienced an OpenVPN attack on a number of our systems. The attack consisted of around 1000 attempted logins between the period of 9:26:43 to 9:29:31. This number of failed TLS attempts caused many of our systems to run out of memory which became quite messy. After doing some research, it appears the issue is: * OpenVPN 2.4.12 has inherent memory management limitations with failed TLS connections. * While CVE-2017-7521 was patched, the 2.4.x architecture still leaks memory during TLS exhaustion attacks. * Each failed handshake leaves behind unfreed memory (~4-8KB), accumulating over thousands of attempts. To fix this problem we need to upgrade to OpenVPN 2.5.x or 2.6.x and add the tls-auth directive however as this is not easy to do, what are my other options. Can I enable adaptive ban for OpenVPN? Implement rate limiting in iptables? Thanks all. Regards Michael Knill Managing Director D: +61 2 6189 1360<tel:+61261891360> P: +61 2 6140 4656<tel:+61261404656> E: mic...@ip...<mailto:mic...@ip...> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications |
