[Astlinux-users] OpenVPN TLS Resource Exhaustion Event

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi All

We run pretty low memory on our hosted Astlinux systems with about 100M available and today we experienced an OpenVPN attack on a number of our systems.
The attack consisted of around 1000 attempted logins between the period of 9:26:43 to 9:29:31. This number of failed TLS attempts caused many of our systems to run out of memory which became quite messy.

After doing some research, it appears the issue is:

  *
OpenVPN 2.4.12 has inherent memory management limitations with failed TLS connections.
  *
While CVE-2017-7521 was patched, the 2.4.x architecture still leaks memory during TLS exhaustion attacks.
  *
Each failed handshake leaves behind unfreed memory (~4-8KB), accumulating over thousands of attempts.

To fix this problem we need to upgrade to OpenVPN 2.5.x or 2.6.x and add the tls-auth directive however as this is not easy to do, what are my other options.
Can I enable adaptive ban for OpenVPN? Implement rate limiting in iptables?

Thanks all.

Regards

Michael Knill

Managing Director

D: +61 2 6189 1360<tel:+61261891360>

P: +61 2 6140 4656<tel:+61261404656>

E: mic...@ip...<mailto:mic...@ip...>

W: ipcsolutions.com.au<https://ipcsolutions.com.au/>

 [Icon  Description automatically generated]

Smarter Business Communications