Can You Get DDoSed with a VPN: Here’s the Truth

While VPN’s have been in service in the business sector for decades, there has been a recent boom in commercial VPN services available to consumers. With a rise in DDoS attacks, more and more people are asking: can a VPN protect me from a DDoS attack?

It is extremely difficult for an attacker to successfully DDoS a target if they are using a VPN. There is no perfect defense against DDoS attacks, but a VPN provides excellent defense for average users.

That’s just a quick answer. The more detailed answer has to do with how DDoS attacks actually work, how VPN’s actually provide protection, and the type of VPN that is being used. We’ll cover all of that and more below.

The Nuts and Bolts of a DDoS Attack

Before we can even begin talking about how VPN’s provide protection, we first have to understand what a DDoS attack is and how it works. We won’t get super technical, but rather just give a quick overview.

DDoS stands for “Distributed Denial of Service” and is essentially a brute force attack. It works, at the simplest level, by just throwing a huge amount of traffic at the host. The immense amount of traffic overwhelms the host’s resources, causing their service to be unreachable by other users.

DDoS attacks can target any device connected to the internet, including:

• Websites
• Gaming servers
• Commercial and business servers
• Individual computers

For example, if a DDoS attack was targeted at a website, the attacker would simply use their computer (or multiple computers) to send a bunch of dummy traffic to the site. The site uses all its resources trying to process the dummy traffic, and as a consequence, legitimate traffic is unable to get through.

More advanced techniques take advantage of methods like:

• Spoofing different types of traffic packets
• Using “DNS Amplification” to further exhaust the host’s resources
• Diversifying the attack by using multiple methods at once

How VPN’s Provide Protection

So, now that we have a basic understanding of how DDoS attacks work, let’s talk about how a VPN manages to help defend against them. VPN’s are pretty commonplace these days, but in case you don’t understand how they work, we’ll give a very quick and basic summary.

A VPN service acts, essentially, as a middleman which anonymizes and/or spoofs your traffic. For example, if you are using a VPN and browsing the web:

• Your traffic first goes to the VPN service
• They then anonymize it and route it through one of their servers
• The website receives your traffic, then sends back its own traffic
• The VPN again routes this through their servers and back to you

A good VPN hides all of your data, including your IP address or location.

That, in basic form, is how a VPN protects you from a DDoS attack — if they don’t have your IP address, then they can’t target you. They could potentially try and hit the VPN’s server with a DDoS attack, so that’s what we’ll talk about next.

Can a VPN Be Targeted by a DDoS attack?

Say you become the target of a DDoS attack, but you’re using a VPN. Since they can’t get to you, could they instead attack your VPN service?

Technically, they could launch a DDoS attack at your VPN provider, but an attack of that scale requires a huge amount of resources and has a high probability of failure, so it’s very rare. That amount of effort isn’t something a random person online is going to do; you would have to be an extremely high-value target to make it worthwhile.

If they don’t realize you are using a VPN and launch an attack anyway, there will be minimal consequence to you, if any. The most likely outcome is that they’ll just get frustrated and give up because of the VPN’s defenses, which we’ll discuss below.

VPN’s Screen Traffic

Any good VPN has a multilayered defense against DDoS attacks, since they come in many forms. The first, and perhaps most basic, of them is screening the traffic that comes in.

For example, as a knowledgeable user on /r/VPN points out:

“They can set their firewall easily to drop packets that are not part of connections initiated from inside; that will stop DDoS attacks in their tracks.”

A solution as simple as that can seriously cripple basic attacks on a VPN’s service. Other techniques include:

• Routing illegitimate traffic into a “black hole”, a dead end that drops the traffic
• Diffusing extra traffic into other servers — think of it like opening extra doors for customers if the first door is clogged up
• Limiting the number of requests that the server will even process in a given timeframe (Though experts say this is not sufficient alone to handle a good DDoS attack)

Defense Through Architecture

Another method that VPN and other network servers use to mitigate DDoS attacks is simply to organize the servers in such a way that DDoS attacks are impossible, or at least extremely difficult, to even attempt.

If the first methods we discussed are like installing multiple security systems on your house, then the architectural defense is like removing the front door entirely.

There are a few ways to accomplish this, but the easiest way is just to not have any ports open on the server which their users’ traffic is coming from. If there is no entry point, they can’t exactly cram the doorway.

All of these defenses make commercial VPN services nearly untouchable for the small-scale DDoS attacks which you are most likely to come across. Sure, a determined attacker with a ton of resources could theoretically DDoS an entire section of a VPN service just to knock you offline — but you’re very, very unlikely to ever have that happen specifically to you.

Use Extra Caution, Even with a VPN

Even with a VPN, you need to keep in mind good security practices while doing anything online. Remember that a VPN only protects you by hiding your IP address from potential attackers. If an attacker gets a hold of your IP through other means, then your VPN can’t protect you any longer, since they can now target you directly.

How could they still get a hold of your VPN? Well, there are a few methods to watch out for:

• Your VPN service could be selling your data
• Your VPN service could just be poorly set up, allowing potential attackers to see your IP unintentionally
• You could be sent a link to a website that logs your IP, even if you are using a VPN (though web browsers like Chrome are getting better and better at blocking all types of these attacks)
• You could be sent malware in the form of a game, video file, or otherwise (you could even download malware when connecting to a game server)
• They could use social engineering to convince the VPN itself to release your records which detail your IP and other personal details

As you can see, a VPN alone won’t protect you. Granted, some of those methods are very difficult and carry serious legal risk, but they are still potential avenues for a dedicated attacker to get to you. You still need to be alert and aware. Using common-sense practices, like not opening files from sources you don’t trust, is still essential.

What Does This Mean for Me?

That’s a lot of information all at once. Here’s a summary of the key points and what this means in practical terms for you:

• Commercial VPN’s provide great protection against nearly all DDoS attacks
• Make sure you go with a well-rated and successful VPN provider
• Don’t open any files from untrusted sources
• Don’t connect to untrusted game or file servers
• Understand that no VPN is “bulletproof”, but they still provide plenty of protection for normal users

With that in mind, find yourself a great VPN service and enjoy knowing that you are well protected from DDoS attacks!