DDoS protection for VPN providers: keeping
concentrators online under attack

Back to Blog

Why VPN Concentrators Are High-Value DDoS Targets

A VPN concentrator is the convergence point for hundreds or thousands of encrypted tunnels. Every user connected to a given server depends on that single machine to encrypt, decrypt, and route their traffic. This architecture creates an unusually attractive DDoS target: taking down one concentrator does not affect one user. It affects every user whose tunnel terminates there.

Attackers understand this leverage. A 5 Gbps flood against a typical web server might degrade performance for visitors to a single website. The same 5 Gbps flood against a VPN concentrator handling 2,000 active tunnels disconnects 2,000 users from the internet entirely. The impact-per-gigabit ratio is dramatically higher, which means attackers need less bandwidth to cause significant disruption.

This makes VPN providers a frequent target for extortion campaigns, competitive attacks from rival providers, and ideologically motivated disruption. The business model depends on uptime and reliability. Users who get disconnected during an attack do not just wait patiently. They switch to a competitor.

The Reconnection Storm Problem

When a DDoS attack takes a concentrator offline, the immediate effect is a mass disconnection. Every user's tunnel drops. But the secondary effect is often worse than the attack itself: the reconnection storm.

VPN clients are designed to automatically reconnect when they lose connectivity. When a concentrator recovers from a brief attack (or when mitigation activates and legitimate traffic starts flowing again), every disconnected client attempts to reconnect simultaneously. The concentrator is hit with thousands of handshake initiation requests at the exact moment it is trying to recover.

For WireGuard, each reconnecting client sends an Initiation message that requires a Curve25519 key exchange and a ChaCha20-Poly1305 decryption on the server side. For OpenVPN, the TLS handshake is even more expensive. For IPsec/IKEv2, IKE_SA_INIT exchanges consume significant CPU. Multiply any of these by 2,000 simultaneous clients and the concentrator can be overwhelmed by its own legitimate users before the attack traffic even resumes.

The reconnection storm is often more damaging than the initial attack. Attackers exploit this by sending short, repeated bursts rather than sustained floods, knowing that each burst triggers a recovery cycle that the concentrator struggles to handle.

Protocol-Specific Attack Vectors

Attackers targeting VPN infrastructure do not just flood the server's IP with random traffic. They target the specific ports and protocols that VPN services depend on, because this traffic cannot be filtered without breaking the service.

WireGuard (UDP 51820): Because WireGuard operates exclusively over UDP, the concentrator must accept and process UDP packets on its listening port. An attacker flooding UDP 51820 with crafted packets forces the server to perform cryptographic validation on each one before it can determine whether the packet belongs to a legitimate peer. The server cannot simply drop all UDP traffic to that port without disconnecting every user.

OpenVPN (UDP 1194 / TCP 443): OpenVPN deployments often run on TCP 443 to bypass firewalls, which means attack traffic targeting the OpenVPN port is indistinguishable from HTTPS traffic at the network layer. UDP-mode OpenVPN faces the same issues as WireGuard, with the added overhead of TLS-Auth or TLS-Crypt processing for each incoming packet.

IPsec/IKEv2 (UDP 500, 4500): IPsec concentrators must keep UDP ports 500 and 4500 open for IKE negotiation and NAT traversal. IKE_SA_INIT floods are particularly effective because the server must allocate state and perform Diffie-Hellman computations for each initiation, creating a CPU exhaustion vector.

Why CDNs Cannot Protect VPN Infrastructure

When a web application faces DDoS attacks, the standard response is to put it behind a CDN or cloud DDoS scrubbing service. The CDN absorbs the attack traffic, and only legitimate HTTP requests reach the origin server. This works because HTTP is a request-response protocol that CDNs are designed to proxy.

VPN traffic is fundamentally different. It consists of encrypted UDP or TCP tunnels carrying arbitrary user traffic. A CDN cannot cache, proxy, or inspect VPN tunnel traffic. There is no concept of a "legitimate request" that can be distinguished from an "attack request" at the CDN edge, because all traffic is encrypted end-to-end between the user's client and the concentrator.

This means VPN providers cannot outsource their DDoS protection to the same services that protect web applications. The concentrator's public IP must be directly reachable by clients, and any DDoS mitigation must happen either at the network edge (upstream filtering) or on the concentrator itself. There is no intermediary that can absorb the attack without also absorbing the legitimate VPN traffic.

Per-Concentrator Agent-Based Detection

Because VPN infrastructure cannot be hidden behind proxies or CDNs, detection and mitigation must happen at the node level. Each concentrator needs its own traffic baseline and its own detection logic, tuned to its specific traffic profile.

A concentrator in Frankfurt handling 3,000 European users has a completely different traffic profile than a concentrator in Tokyo handling 500 users during Asian business hours. Network-wide aggregate baselines that average these together will miss targeted attacks on individual concentrators. When an attacker floods the Tokyo server with 2 Gbps, that might not even register as an anomaly against the aggregate traffic of 50 servers. But it is catastrophic for the 500 users on that node.

Agent-based detection solves this by running directly on each concentrator. The agent learns the normal traffic patterns for that specific node: baseline packet rates on VPN ports, expected handshake frequencies, typical source diversity, and protocol distribution. When an attack hits, the agent detects the deviation within seconds because it is comparing against a local baseline, not a global average.

This approach also enables protocol-aware classification. The agent can distinguish between legitimate WireGuard handshake initiation packets and flood traffic targeting the same port, because it understands the expected rate of new peer connections versus the current rate of initiation messages. A sudden spike in handshake initiations from IP addresses that are not existing peers is a strong signal of an attack, even if the total packet rate is modest.

Practical Steps for VPN Operators

Defending VPN concentrators against DDoS requires a layered approach that accounts for the unique constraints of VPN infrastructure:

• Deploy per-node monitoring: Every concentrator needs independent traffic baseline monitoring. Aggregate network dashboards will not catch targeted attacks on individual servers.
• Implement connection rate limiting at the kernel level: Use nftables or eBPF to rate-limit new handshake initiations per source IP without affecting established tunnels. This blunts both attacks and reconnection storms.
• Pre-configure upstream null route triggers: For volumetric attacks that exceed the server's link capacity, have automated triggers ready to request upstream null routes or BGP blackholes for the targeted IP, with failover to a backup concentrator.
• Design for graceful client migration: When a concentrator goes down, clients should automatically reconnect to a different server rather than hammering the same one. Your client software and DNS configuration should support this.
• Separate management and VPN traffic: Ensure your monitoring and management access uses a different IP or out-of-band network so you can still reach the concentrator during an attack on the VPN IP.
• Retain per-concentrator traffic logs: Post-attack forensics depend on having packet rate, protocol distribution, and source diversity data for the specific concentrator that was targeted.

Back to Blog

Related Articles