In February 2025, researchers from KU Leuven released their research on the insecurity of tunneling protocols, highlighting a new set of vulnerabilities and DDoS attack techniques. These vulnerabilities are colloquially referred to as “Tunnelpocalypse” and will likely be seen in future attacks. Their research revealed that over 4.3 million internet hosts can be weaponized as one-way proxies for DDoS attacks that evade countermeasures by encapsulating attack traffic inside of tunneling protocols such as IP-in-IP, Generic Route Encapsulation, 4in6, and 6in4. This discovery exposes systematic weaknesses in the insecure default installations of unprotected tunneling protocols that are enabled in some platforms. These weaknesses allow attackers to use innovative techniques to launch DDoS attacks.
The implications extend far beyond more traditional types of DDoS attacks. This research demonstrated a technique that threat actors can use to bypass geographic restrictions, conduct sophisticated spoofing campaigns, and even crash critical network devices and services through multi-encapsulated tunneled traffic.
Understanding Tunneling Protocols and Their Critical Flaws
Tunneling protocols create pathways for data transmission across networks by encapsulating one protocol within another. These protocols serve essential functions in modern networking, enabling flexible communications across untrusted networks and facilitating network transitions. However, when implemented without proper authentication mechanisms and when enabled by default in servers, routers, and other platforms, they become dangerous attack vectors.
The research conducted by KU Leuven focused on four primary tunneling protocols that present the greatest security risks for tunneling attacks.
IP-in-IP Vulnerabilities
IPIP (IP-in-IP) tunneling encapsulates IPv4 packets within other IPv4 packets, creating virtual point-to-point connections across intermediate networks. Standardized in 1996 as RFC 2003, IPIP was designed to connect separate private networks through public infrastructure like the Internet.
The protocol’s fundamental weakness lies in its simplicity. The outer IP header contains source and destination information, while the inner, encapsulated packet remains largely unmodified except for Time To Live (TTL) field adjustments. IPIP requires minimal configuration but offers no built-in authentication or encryption mechanisms. These capabilities are often layered on top with IPSEC. When hosts accept and forward arbitrary encapsulated traffic from unauthorized sources, they essentially become open relays for attackers.
This lack of authentication allows attackers to inject malicious traffic that appears legitimate to receiving hosts, making IPIP tunnels prime targets for abuse.
GRE Protocol Exploitation
Generic Routing Encapsulation (GRE) provides more flexibility than IPIP by supporting multiple protocol types and including additional header information for routing decisions. At DigiCert, we use GRE for UltraDDoS Protect to return “clean” network traffic to customers after we have blocked DDoS packets.
GRE adds a custom header before encapsulating the inner packet, enabling more sophisticated network configurations. However, this flexibility comes at a security cost. Many GRE implementations operate without proper authentication, allowing attackers to inject malicious traffic that bypasses security controls. The protocol’s versatility makes it particularly attractive for abuse scenarios, as attackers can encapsulate various traffic types to evade detection.
The lack of source validation in many GRE deployments means that hosts will forward encapsulated traffic based solely on destination headers rather than verifying sender legitimacy.
6in4 and 4in6 Protocol Risks
6in4 tunneling encapsulates IPv6 packets within IPv4 headers, enabling IPv6 connectivity across IPv4-only infrastructure. This transition technology became widely deployed as organizations migrated to IPv6 while maintaining backward compatibility with existing systems.
The dual-stack nature of 6in4 creates complex attack vectors where malicious IPv6 traffic can bypass IPv4-focused security controls. Organizations that implement security policies primarily around IPv4 may find their defenses inadequate against IPv6-encapsulated attacks.
Conversely, 4in6 tunneling encapsulates IPv4 packets within IPv6 headers, helping maintain connectivity with legacy IPv4 systems as IPv6 adoption increases. Both protocols often lack robust authentication mechanisms, making them susceptible to abuse by sophisticated threat actors who understand their implementation weaknesses.
Detecting Tunnel Hosts with Large-Scale Internet Scanning
The KU Leuven research team used a modified version of ZMap, a high-speed network scanner, to conduct comprehensive internet-wide reconnaissance. Their scanning methodology involved sending crafted tunnel packets to identify hosts that would forward an ICMP ping without proper authentication and verification. Furthermore, they tested to see if the endpoint was allowed to send packets from spoofed IP addresses, a capability that allows attackers much more flexibility in the types of DDoS attacks that they send.
This systematic approach revealed the staggering scope of vulnerable infrastructure across the internet. The scanning identified hosts that function essentially as open relays, forwarding tunneled traffic based solely on destination headers rather than implementing proper source validation.
The results were alarming: approximately 4,263,193 active tunneling gateways were discovered that could be manipulated into forwarding arbitrary traffic. This massive infrastructure of vulnerable hosts creates an unprecedented opportunity for attackers to coordinate large-scale distributed attacks while completely masking their true origins.
The geographic distribution of these vulnerable hosts spans globally, providing attackers with extensive options for routing malicious traffic through trusted network regions and IP ranges.
Launching DDoS Attacks Through Tunnel Infrastructure
Traditional DDoS mitigation strategies rely heavily on geographic filtering, source IP reputation analysis, and rate limiting based on apparent traffic origins. However, tunnel-based attacks fundamentally undermine these defensive approaches by enabling sophisticated traffic laundering techniques.
Evading Geographic Restrictions
Attackers can route malicious traffic through vulnerable hosts located in trusted geographic regions, making attacks appear to originate from legitimate locations. This geographic laundering effectively bypasses geo-blocking protections that many organizations depend on for preliminary attack filtering.
The distributed nature of vulnerable tunneling hosts provides attackers with extensive options for traffic routing. By carefully selecting intermediate hosts based on their geographic locations and network affiliations, attackers can craft attacks that appear to come from highly reputable sources.
Furthermore, the distributed nature of tunnel abuse makes attack attribution extremely difficult. Security teams struggle to distinguish between legitimate tunneled traffic and malicious flows, creating significant blind spots in monitoring and response capabilities.
Triggering Other Attacks: Amplification and Reflection DDoS
The abuse of tunnels does not just enable credential stuffing attacks but also facilitates other types of malicious activities, such as amplification and reflection Distributed Denial of Service (DDoS) attacks. Attackers leverage the infrastructure provided by tunnels to spoof traffic, making it appear as though requests originate from legitimate sources. This allows them to exploit vulnerable servers or protocols (such as DNS or NTP) that amplify response sizes significantly.
Reflection attacks take this a step further by bouncing the amplified traffic off these systems onto the intended target. The use of tunnels obscures the attacker’s location and complicates mitigation efforts, as defenders are often left chasing misleading signals. This ability to disguise traffic origin and exploit amplification vectors elevates the severity of tunnel abuse, turning it into a powerful tool for orchestrating high-impact DDoS campaigns.
Credential Stuffing and Fraud
Threat actors can use tunnel-based routing not only for DDoS attacks but also for account takeover campaigns. By making credential stuffing attempts appear to come from diverse, legitimate IP ranges, they evade detection methods like rate limiting. Credential stuffing exploits stolen login credentials, often from data breaches, to gain unauthorized access by testing reused passwords across multiple platforms.
The consequences range from fraudulent transactions to identity theft, impacting sectors like finance, healthcare, retail, and entertainment. To defend against these attacks, organizations should implement multi-factor authentication (MFA), monitor for unusual login patterns, and educate users on creating strong, unique passwords. Proactive measures are essential to mitigate this growing threat.
Advanced DDoS Techniques
The research uncovered two novel amplification techniques that significantly multiply attack effectiveness while requiring minimal initial bandwidth investment from attackers.
Ping-Pong Attacks
Ping-Pong attacks create traffic loops between multiple vulnerable tunneling hosts. By carefully crafting packets with nested tunneling headers with specific source and destination configurations, attackers can cause traffic to bounce repeatedly between compromised systems.
Each loop iteration consumes network resources at intermediate points, generating substantial amplification effects. The technique creates distributed resource exhaustion that proves difficult to trace and mitigate, as the attack traffic appears to originate from legitimate tunneling infrastructure rather than malicious sources.
The amplification factor achieved through Ping-Pong attacks can be substantial, allowing attackers to generate significant traffic volumes while maintaining minimal direct bandwidth usage. This makes the technique particularly attractive for resource-constrained attackers seeking maximum impact.
Tunneled Temporal Lensing (TuTL) Attacks
TuTL represents a sophisticated timing-based amplification method that leverages latency over multiple tunneling hops to cause packets sent over a short period to arrive simultaneously and overwhelm target systems.
This temporal concentration creates intense traffic bursts that overwhelm target systems designed to handle steady-state loads rather than sudden traffic spikes. The timing precision and latency sampling required makes TuTL attacks technically challenging to execute, but when implemented correctly, they prove devastatingly effective.
Defense Strategies for Tunneled DDoS Attacks
Organizations facing tunnel-based attack threats need comprehensive protection strategies that address both traditional and emerging attack vectors. Conventional IP-based filtering provides insufficient protection against sophisticated adversaries leveraging vulnerable tunneling infrastructure.
Access Control Lists for Tunneling Protocols
Implementing strict Access Control Lists (ACLs) for both incoming and outgoing tunneling protocols represents a fundamental defensive measure. Organizations should explicitly define which systems are authorized to establish tunnel connections and block unauthorized tunnel traffic at network perimeters.
These ACLs must cover all relevant tunneling protocols, including IPIP, GRE, 6in4, and 4in6. Default-deny policies ensure that only explicitly authorized tunneling traffic can traverse network boundaries, reducing the attack surface available to potential threats.
Infrastructure Updates and Equipment Hardening
Older on-premises equipment, particularly routers and broadband modems, often contains vulnerable tunneling implementations–often GRE, 6in4, and 4in6–that lack proper authentication mechanisms. Organizations should prioritize updating or upgrading these systems to versions that implement robust tunnel security controls.
Web servers and other internet-facing infrastructure also require evaluation for tunneling protocol vulnerabilities, especially for IPIP. Systems that inadvertently accept and process tunneled traffic can become unwitting participants in attack campaigns targeting other organizations.
Regular security assessments should specifically examine tunneling protocol implementations and configurations to identify potential abuse vectors before attackers can exploit them.
BCP38 and Blocking IP Address Spoofing
Best Common Practice (BCP) 38, also called “Network Ingress Filtering,” is a critical guideline for network operators designed to combat IP address spoofing, a tactic frequently exploited in tunneling attacks and distributed denial-of-service (DDoS) attacks. Spoofed packets, which mask their true source, are often used by attackers to bypass security measures or amplify their attacks. By implementing BCP38, networks can verify the source IP addresses of incoming packets and block traffic originating from spoofed or invalid sources.
This is particularly important because many tunneling attacks rely on spoofed packet sources to infiltrate networks or obfuscate their malicious activity. Deploying BCP38 at the edges of networks, where traffic enters and exits, establishes filtering rules that allow only legitimate, verifiable IP traffic that comes from the appropriate source network. This significantly reduces an attacker’s ability to use spoofed IP addresses to carry out their operations.
When widely adopted, BCP38 not only helps mitigate tunneling attacks but also strengthens the overall security of the internet and blocks many classes of DDoS attacks. Network operators such as Internet Service Providers (ISPs)should implement BCP38 as part of a robust network security strategy, ensuring that their networks cannot be leveraged by attackers relying on spoofed traffic.
Shadowserver and Free Vulnerability Scanning
The Shadowserver Foundation plays a critical role in improving internet security by providing free scanning services to network operators. Through their scans, Shadowserver highlights issues like open resolvers, exposed services, or insecure configurations that could be exploited by malicious actors. This information can help organizations uncover potential risks, such as unprotected tunnel hosts or systems inadvertently contributing to distributed denial-of-service (DDoS) attacks originating from their networks.
Participation in Shadowserver’s initiatives is voluntary, but the insights gained from their reports offer significant value. By acting on these findings, organizations can strengthen their defenses, reduce abuse potential, and contribute to a safer internet. Shadowserver’s efforts emphasize collaboration, encouraging network operators and organizations to proactively address issues and prevent their infrastructure from being used in malicious campaigns.
Blocking Tunneled DDoS Attacks with UltraDDoS Protect
DigiCert UltraDDoS Protect is an advanced DDoS mitigation platform that employs anycast routing, attack signatures, and behavioral analysis techniques to identify and drop DDoS traffic patterns regardless of apparent source legitimacy.
Default Filtering Capabilities
UltraDDoS Protect includes an extensive range of default filtering capabilities designed to defend against a variety of DDoS threats. These include:
IP and Protocol Filtering blocks known malicious IP addresses and restricts traffic based on specific protocols. This ensures that suspicious or harmful sources are unable to access your system, improving overall security and reducing vulnerabilities.
Rate Limiting controls traffic spikes by managing the volume of incoming requests. This prevents systems from being overwhelmed by sudden surges in traffic, ensuring consistent performance and stability.
Geo-Blocking restricts traffic from specific geographic regions that are prone to malicious activity and that have a larger number of exposed tunnel endpoints. By targeting high-risk regions, organizations can reduce the likelihood of attacks originating from these areas.
Application Layer Protection detects and mitigates attacks at the application level, such as HTTP floods. This ensures that critical applications remain secure and uninterrupted even during targeted assaults.
Behavioral Analysis identifies unusual traffic patterns in real-time. By monitoring and analyzing behaviors, it prevents sophisticated and evolving attack methods from compromising your system.
Customizable Rules allow organizations to configure filtering rules tailored to their unique requirements. This flexibility ensures that security measures align closely with specific business needs and operational goals.
Cloud-Based Firewall Protection
DigiCert’s optional Cloud Firewall service enables always-on UltraDDoS Protect customers to push their customized firewall rules directly to our infrastructure. By leveraging this capability, organizations can proactively block malicious traffic at the network edge, preventing attacks before they reach critical systems. This scalable solution enhances security by combining advanced DDoS protection with the ability to enforce precise, pre-defined rules, ensuring robust protection against evolving cyber threats.
Securing Internet Infrastructure Against Tunneled DDoS Threats
The discovery of 4.3 million vulnerable tunneling hosts represents a critical infrastructure security challenge requiring coordinated response efforts across the internet ecosystem. Network operators should immediately audit their networks for tunneling implementations and ensure proper authentication and access controls are in place.
Default configurations in routers and servers that accept arbitrary tunneled traffic create unnecessary risk exposure not only for individual organizations but for the broader internet community. Security researchers recommend implementing strict source validation for all tunneling protocols and monitoring for unexpected traffic patterns that might indicate abuse.
Organizations should consider the broader implications of tunnel-based attacks when designing network security architectures. Moving beyond simple perimeter defense models toward comprehensive traffic analysis and validation becomes essential as attackers increasingly exploit fundamental internet protocols.
The research by KU Leuven underscores the critical importance of proactive security measures in protecting digital infrastructure against evolving cyber threats. As attackers continue developing sophisticated techniques for exploiting legitimate network protocols, defensive strategies must evolve to address these emerging challenges comprehensively.
