Hi All We run pretty low memory on our hosted Astlinux systems with about 100M available and today we experienced an OpenVPN attack on a number of our systems. The attack consisted of around 1000 attempted logins between the period of 9:26:43 to 9:29:31. This number of failed TLS attempts caused many of our systems to run out of memory which became quite messy.
After doing some research, it appears the issue is: * OpenVPN 2.4.12 has inherent memory management limitations with failed TLS connections. * While CVE-2017-7521 was patched, the 2.4.x architecture still leaks memory during TLS exhaustion attacks. * Each failed handshake leaves behind unfreed memory (~4-8KB), accumulating over thousands of attempts. To fix this problem we need to upgrade to OpenVPN 2.5.x or 2.6.x and add the tls-auth directive however as this is not easy to do, what are my other options. Can I enable adaptive ban for OpenVPN? Implement rate limiting in iptables? Thanks all. Regards Michael Knill Managing Director D: +61 2 6189 1360<tel:+61261891360> P: +61 2 6140 4656<tel:+61261404656> E: [email protected]<mailto:[email protected]> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications
_______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
