Characterizing the VPN Ecosystem in the Wild
AI-generated Key Points
- COVID-19 pandemic has led to an increase in VPN usage globally
- Measuring traffic and security aspects of VPN ecosystem is now more important than ever
- Detecting and characterizing VPN traffic remains challenging due to some protocols using the same port number as web traffic
- Paper aims at detecting and characterizing VPN servers in the wild to facilitate identifying VPN traffic
- 9.8 million VPN servers distributed globally using OpenVPN, SSTP, PPTP, and IPsec protocols were identified through Internet-wide active measurements
- SSTP protocol is the most vulnerable among those detected with over 90% of servers being vulnerable to TLS downgrade attacks
- 2% of all servers that respond to their VPN probes also respond to HTTP probes and are classified as Web servers.
- The list of VPN servers was used to identify VPN traffic in a large European ISP's network, where 2.6% of all traffic was related to these VPN servers.
- Research provides valuable insights into the state of security for VPN solutions used by individuals and organizations worldwide.
Authors: Aniss Maghsoudlou, Lukas Vermeulen, Ingmar Poese, Oliver Gasser
Abstract: With the shift to working remotely after the COVID-19 pandemic, the use of Virtual Private Networks (VPNs) around the world has nearly doubled. Therefore, measuring the traffic and security aspects of the VPN ecosystem is more important now than ever. It is, however, challenging to detect and characterize VPN traffic since some VPN protocols use the same port number as web traffic and port-based traffic classification will not help. VPN users are also concerned about the vulnerabilities of their VPN connections due to privacy issues. In this paper, we aim at detecting and characterizing VPN servers in the wild, which facilitates detecting the VPN traffic. To this end, we perform Internet-wide active measurements to find VPN servers in the wild, and characterize them based on their vulnerabilities, certificates, locations, and fingerprinting. We find 9.8M VPN servers distributed around the world using OpenVPN, SSTP, PPTP, and IPsec, and analyze their vulnerability. We find SSTP to be the most vulnerable protocol with more than 90% of detected servers being vulnerable to TLS downgrade attacks. Of all the servers that respond to our VPN probes, 2% also respond to HTTP probes and therefore are classified as Web servers. We apply our list of VPN servers to the traffic from a large European ISP and observe that 2.6% of all traffic is related to these VPN servers.
Ask questions about this paper to our AI assistant
You can also chat with multiple papers at once here.
Assess the quality of the AI-generated content by voting
Why do we need votes?
Votes are used to determine whether we need to re-run our summarizing tools. If the count reaches -10, our tools can be restarted.
Look for similar papers (in beta version)
By clicking on the button above, our algorithm will scan all papers in our database to find the closest based on the contents of the full papers and not just on metadata. Please note that it only works for papers that we have generated summaries for and you can rerun it from time to time to get a more accurate result while our database grows.
Disclaimer: The AI-based summarization tool and virtual assistant provided on this website may not always provide accurate and complete summaries or responses. We encourage you to carefully review and evaluate the generated content to ensure its quality and relevance to your needs.