Privacy Vulnerability Exposes VPN Users' Real IP Addresses

An anonymous reader writes: A major security flaw which reveals VPN users' real IP addresses has been discovered by Perfect Privacy (PP). The researchers suggest that the problem affects all VPN protocols, including IPSec, PPTP and OpenVPN. The technique involves a port-forwarding tactic whereby a hacker using the same VPN as its victim can forward traffic through a certain port, which exposes the unsuspecting user's IP address. This issue persists even if the victim has disabled port forwarding. PP discovered that five out of nine prominent VPN providers that offer port forwarding were vulnerable to the attack.

Damn people are getting dumb

This is the stupidest thing I've heard in a few days.

Yes it's probably your friend or neighbor, nobody cares about your IP address anymore.

Re: Damn people are getting dumb

Well, a lot of people use vpns to hide their torrenting, and IP addresses are how copyright trolls find you and send you letters, so it kinda is an issue if you're paying for a VPN to hide your torrenting, and thus not get caught

Re: Damn people are getting dumb

I'm sure that's not the stupidest thing you've *said* lately though.

Re: Damn people are getting dumb

[RubberDogBone]

This is a mistake, then. If you want to torrent and avoid copyright holders, you need to use a SEED BOX somewhere overseas where they don't keep records. And then VPN from your home or whatever into that seed box. The box runs your torrents for you. The only traffic your IP sees is the encrypted transfers of completed files between you and the seed box. NOT VPN'd torrents.

This is of course not foolproof but it adds a nice layer between your own IP and the infringing activity. It also helps if you are on a bandwidth capped account as your connection doesn't have to support all the torrent traffic. And for cost, a seed box with VPN is not a lot more than a VPN alone. So it's not a big deal.

Well, a lot of people use vpns to hide their torrenting, and IP addresses are how copyright trolls find you and send you letters, so it kinda is an issue if you're paying for a VPN to hide your torrenting, and thus not get caught

Re: Damn people are getting dumb

[dotancohen]

This is a mistake, then. If you want to torrent and avoid copyright holders, you need to use a SEED BOX somewhere overseas where they don't keep records.

Or how about a more novel idea: Instead of paying to avoid copyright, either actually pay for the movies you watch or don't watch them. Seriously, I use a VPN and I use bittorrent for legitimate purposes, and you are ruining my ability to use my tools responsibly.

Just like the idiots that shine laser pointers at landing airplanes so now I cannot use a laser pointer to responsibly teach my daughters astronomy, you are abusing and ruining a tool for nothing of value. If you are so addicted to movies that you cannot even afford to pay for your habit, then you need counseling.

Re: Damn people are getting dumb

[Linux+Freak]

What about the many, many movies that never actually get released where I live (likely 20% or more never get released here, as a way of "protecting" the domestic movie producing market here)? Oh, I get it, you want me to wait until they are released on DVD and have me import them, right? Too bad about region encoding, apparently I am a "thief" for wanting to buy & watch DVD's in a different region.

I am happy to pay for content, but don't make it impossible to do so and I'll stop circumventing. Hell, the money I pay for a VPN could go to the content provider instead.

Re: Damn people are getting dumb

[thegarbz]

Or you could take the low-hanging fruit principle. Are studios likely to go after people who obfuscate their presence or likely to just record IP addresses and John Doe them to their nearest ISP?

I think VPN torrenters or those using SOCKS proxies will be relatively safe until everyone starts doing it.

Re: Damn people are getting dumb

[thegarbz]

Or how about a more novel idea: Instead of paying to avoid copyright, either actually pay for the movies you watch or don't watch them.

I tried that. No one would take my money. And 6 months later when they did want to take my money they wanted to take twice as much as normal because... well I assume they had the added cost of dubbing the original so people said "aluminium" instead of "aluminum" and had to put the missing 'u' back into various words in the subtitles. Maybe they even edited the footage so the toilets flushed in the opposite way, that would justify the cost.

Re: Damn people are getting dumb

[dotancohen]

I tried that. No one would take my money.

When regional exclusion comes into account, I for all means support copyright infringement. My comments were addressed to those who circumvent copyright when moral (not necessarily legal) means are available to them, in order to save money.

If the producers and distributors of the media do not see you as a potential customer and refuse to offer their product in your area, then you are doing no moral harm by acquiring the media by alternative distribution channels.

Re: Damn people are getting dumb

>you are ruining my ability to use my tools responsibly.

You can't possibly be serious. The only ones ruining the ability to use your tools are the ones providing the tools or actively restricting access to them.

Re: Damn people are getting dumb

[Hognoxious]

now I cannot use a laser pointer to responsibly teach my daughters astronomy

Must be pretty powerful if it can illuminate the moon.

Re: Damn people are getting dumb

Self-righteous preaching is also incredibly patronizing.

Stats consistently show that not only do most pirates pay for content but tend to pay more than average. The primary reason why content gets "stolen" (MPAA/RIAA corporate propaganda) is due to the following

1. Most of the stuff people downplay they wouldn't have paid for.

2. Convenience. You can instantly get whatever you want without running through hoops of DRM and delays due to royalites.

3. A work was originally copyright protected to encourage content creation. It is not protected solely to make some guy sitting on his ass rich for doing nothing because he was lucky enough to inherit royalites. Not was it ended for some actor with a highschool diploma to make 30M a year while a doctor that saves lives makes 400K. Big media companies are behaving rotten these days. They preach values to others than milk the public dry with royalities for films, music and software that often should be in the public domain.

I'm sure plumbers, and every one else in the world whose efforts aren't protected by licensing, would like to be paid for every flush of a toilet but there comes a point where the plumber would be gouging the public.

Re: Damn people are getting dumb

What is the value of all the ideas big media companies took from public domain to make their films?

What is the value of the ideas big software companies took from the public domain to create their software?

There then are rug companies that complain about generics after 20 years. How many ideas did they "steal" from the public domain to come up with their drug originally?

ZERO. literally ZERO content creation happens in a vacuum. Yet to listen to some super rich content creators these days they are all victims to the little guy.

Content "theft' is largely the Average Joe getting even for the fat cat parasites that have abused their power to feed off the public. The only one's we should feel any sympathy for is the little guys in the industry that are having their salaries siphoned away by the 1% of selfish whiners. Too much capitalism is like communism. A few guys control most of the wealth. If there is anything the little guy can do to take a bit more of their, earned, cut they should do it.

- 500 for me. And one for you.

Re: Damn people are getting dumb

Those poor poor Hollywood executives. Because of those evil pirates they have to occasionally cut their employee's salaries and eliminate other people's jobs. It's of course "theft' to lower their own salaries. God forbid for a change lower their own salaries to better reflect the work they have done rather than milk both their employees and public dry.

http://www.hollywoodreporter.com/news/executive-salaries-david-zaslav-discovery-highest-paid-313804

Re: Damn people are getting dumb

[dotancohen]

If you don't like their business practices, then don't use their product. Staying addicted to their entertainment only cements their position and ability to hurt others.

Re: Damn people are getting dumb

[dotancohen]

If you don't like their business practices, then don't use their product. Staying addicted to their entertainment simply cements their position and ability to hurt others.

Re: Damn people are getting dumb

Bold sections and everything...

You know that no one actually cares if you use a laser pointer responsibly, right? It's a null issue. Same for your legitimate use of BitTorrent... no one is stopping you or making it harder. P2P is not illegal and there are so many trackers out there that even if it were the powers that be would never be able to stop them all. Even if they did THAT someone would just come up with something different enough to avoid the wording of law but similar enough so that you can still use it like you want to.

I think you're over reacting somewhat.

Re: Damn people are getting dumb

[thegarbz]

While you're on the topic of morals what's your view on the producers endlessly locking up content in copyright, forever milking the customer for every cent they can bare while passing on almost none of the profits to the people who created that work, all the while taking people to court for ludicrously over inflated payouts?

Even if I would be pirating due to financial reasons I would justify it to myself as "doing no moral harm" quite comfortably.

Re: Damn people are getting dumb

[dotancohen]

While you're on the topic of morals what's your view on the producers endlessly locking up content in copyright, forever milking the customer for every cent they can bare while passing on almost none of the profits to the people who created that work, all the while taking people to court for ludicrously over inflated payouts?

Even if I would be pirating due to financial reasons I would justify it to myself as "doing no moral harm" quite comfortably.

That is not the doing of the producers, rather it is the doing of the politicians. Now ask yourself what did the politicians give to the people when they took away works that should be in the public domain?

I'm all for rebelling against unjust laws, but the truth is that I'll support copyright infringement for an informative work, but not for an entertainment work. One could argue that the entertainment works become culture, to that I answer: when you pirate you are actively basing your culture on non-free works. So the society-benefiting conclusion remains: don't pirate. Just ignore the copyrighted works and base your culture upon ideas and stories that you are free to share.

Re:Damn people are getting dumb

[kmoser]

Yes it's probably your friend or neighbor, nobody cares about your IP address anymore.

And doxers

Re: Damn people are getting dumb

They don't want you to watch those movies. I've made it my policy to agree with that - I will never think about those movies that they don't want me to see. I only think about movies, music and shows from people who want my attention by freely sharing their own works around.

Re: Damn people are getting dumb

[Slashdot+Parent]

Instead of paying to avoid copyright, either actually pay for the movies you watch

I can't tell you how many times I've sat there throwing money at my television and nobody would take it. If the copyright holder won't let me buy it, then I feel no guilt about torrenting it.

Re: Damn people are getting dumb

[dotancohen]

I can't tell you how many times I've sat there throwing money at my television and nobody would take it. If the copyright holder won't let me buy it, then I feel no guilt about torrenting it.

I agree with you 100%. I was addressing those who do have proper channels to acquire media.

Clever but not earthshaking.

[houstonbofh]

Essentially, you are having the user connect to the internal address of the VPN server for your forwarded port, and therefore you do not go through the VPN or NAT. A good VPN service will have bound your port to the external address only, and this would not work. And the bad ones will fix this quickly, I bet.

Re:Clever but not earthshaking.

Technically there is no need to have separate IP addresses for the "exit" (on which the ports to be forwarded are opened) and the "tunnel server" (to which the encrypted tunnel packets are sent.) The actual misconfiguration is on the client side, where packets that are not addressed to the tunnel server (IP+port) are sent outside the tunnel. The client should send everything through the tunnel except the encapsulated packets, but it typically doesn't actually tunnel the packets to other ports on the tunnel server. By giving the option to forward ports on the tunnel server to the VPN clients, the VPN service makes this misconfiguration exploitable, but it's not originally the service's fault.

Bigger problems

[ilsaloving]

The only requirement is that the attacker has port forwarding enabled on the same VPN network as its target. A phishing link or laced image file, for example, is then sent to the victim which leads the traffic to a port under the hacker’s control.

So... using a social engineering attack can expose the victim's IP address. Am I missing something? Cause to me this falls under the category of "Well no shit, Sherlock!" If you can convince a user to run a malicious payload, then having an IP address exposed is the least the victim's problems.

Re:Bigger problems

I think you're missing the bigger picture here.

computer security has gotten about as meaningful as homeopathy. and its making
people alot of money. just wave your hands and talk meaningfully about 'attack surface'.
you too can get in on the game.

now get your phligistons off my aether

Re:Bigger problems

If someone obtains a VPN connection and routes all of their traffic over that connection, it's reasonable for them to assume that their real IP address won't "leak." Masking one's origin is often the entire purpose of a VPN, at least from a consumer standpoint. Even if the user opens malware or clicks a specially crafted link, there should still be an expectation that any resulting traffic won't reveal the user's true IP. Some of the commercial VPN services are obviously doing it properly, as the exploit doesn't work on their networks.

Re:Bigger problems

So:

"A major security flaw which reveals VPN users' real IP addresses has been discovered by Perfect Privacy (PP). The researchers suggest that the problem affects all VPN protocols, including IPSec, PPTP and OpenVPN"

Is a misleading scare tactic opening, and "Privacy Vulnerability Exposes VPN Users' Real IP Addresses" is a scare tactic title, when it should really be "poorly implemented VPNs can leak users real IP"

Re:Bigger problems

There's no "social engineering" required (unless you define that term so broadly that it's meaningless).

If you're running a dragnet rather than spear-fishing, you just need to put the link out there somewhere (whether as a-href or img-src or whatever). Anyone who follows it using the target VPN will make the HTTP request from their real IP address.

If you're targeting a specific victim, then you're probably going to need to do something to optimise the process. That may involve emailing the victim a link, or it may involve knowing which sites he visits and finding one which allows off-site links to be posted (or off-site images to be embedded), or knowing enough about him to get your site to appear high up on one of his upcoming google searches.

Re:Bigger problems

[reboot246]

My biggest problem with it is the use of the pronoun "its" instead of "his". The attacker (or hacker) may be male or female, but correct grammar uses the masculine pronoun when the sex of the antecedent is unknown. Are you people THAT politically correct or is it just a lack of education?

Re:Bigger problems

[AHuxley]

For that a list of who kept the IP would be needed so the product offered can be better understood.
Is it having all servers in one nation under one brands internal control?
Servers in a lot of nations but under total control of the brand?
Some internal network with a way in and a totally different server network out?
An external wired router passing the totality of all OS, app network traffic to a VPN should not be leaking any ISP ip.

Re:Bigger problems

[turbidostato]

"Masking one's origin is often the entire purpose of a VPN, at least from a consumer standpoint."

Uhhh... nope, why should that be the case?

The purpose of a Virtual Private Network is to, well, Virtually making a Private Network, as if it was Local (LAN is another interesting acronim here) over other non-local networks.

And then, the article states " The technique involves a port-forwarding tactic whereby a hacker using the same VPN as its victim can forward traffic through a certain port, which exposes the unsuspecting user's IP address."

The same VPN! Why talking about "unsuspecting users"? The very purpose of a VPN is that those using it can get in touch to begin with!

Re:Bigger problems

[undecim11]

The point is that a VPN is used to hide your IP address, but with this vulnerability, a single web page can subvert that. All the attacker needs to trick you into doing is opening a single TCP connection. This can be done with a single img or iframe tag on a page. It's not running a malicious payload, it's browsing the internet

Re:Bigger problems

ugh? how exactly? my computer is behind my router. my router only has the vpn remote endpoint route on the wan interface. the default route is though the VPN, interface, all outbound traffic via the VPN interface has the source address changed to the local IP of the VPN interface. So. how should it leak the ip of the wan interface then?

Re:Bigger problems

[whoever57]

The term VPN has been co-opted by providers that provide VPN and routing services. People pay for this service so that they can mask their true location -- for example, to use video services not available in their country.

Individual users are not using the VPN to connect to each other, but instead to connect to the VPN endpoint, from where their encapsulated packets are routed to the destination website (and obviously, the replies are routed back the same way)

Re:Bigger problems

[Antique+Geekmeister]

>> "Masking one's origin is often the entire purpose of a VPN, at least from a consumer standpoint."

> Uhhh... nope, why should that be the case?

To avoid a subpoena for the records of the connecting IP address, or to fool geo-IP based content restrictions from blocking people outside the UK from watching BBC programs, or to evade the "Great Firewall" of China, or to avoid tracking a command control center for a botnet, or to avoid detection of the "amazing offer" as coming from Nigeria, or simply to send spam from IP addresses which are not in public blacklists.

Re:Bigger problems

[AK+Marc]

VPN means "encrypted proxy". Nothing more, nothing less, at least in this context.

Re:Bigger problems

Well, the VPN products that I've configured had a setting to allow/disallow this with the options:
1) all traffic passes through the VPN (or gets dropped if its not allowed)
2) all local lan traffic is allowed and everything else passes through the VPN
3) all traffic is allowed and only specific traffic passes through the VPN (based on ip address).

So, if I set one up using #1 or #2 above, then this 'attack' won't work.

Re:Bigger problems

ugh? how exactly? my computer is behind my router. my router only has the vpn remote endpoint route on the wan interface. the default route is though the VPN, interface, all outbound traffic via the VPN interface has the source address changed to the local IP of the VPN interface. So. how should it leak the ip of the wan interface then?

To you and previous poster: How the hack works is explained in detail in the linked article, no need to speculate.

Re:Bigger problems

ugh? how exactly? my computer is behind my router. my router only has the vpn remote endpoint route on the wan interface. the default route is though the VPN, interface, all outbound traffic via the VPN interface has the source address changed to the local IP of the VPN interface. So. how should it leak the ip of the wan interface then?

Easy: you still have a host route to the vpn server. If your firewall does not block it any request to that vpn-server runs through the host route. If the attacker (a user using the same vpn and same serevr) has forwarded the external port on the externel vpn-server IP to his internal server, your WAN-IP will appear in the traffic, as it bypasses the vpn

Re:Bigger problems

[bingoUV]

Duh, attacker is a script.

Re: Bigger problems

Here in Sweden, the megadome of politically correct we actually have a gender neutral word that is nit "it". A mix between him and her. Translated to somerhinh like hem. True story.

Re:Bigger problems

[turbidostato]

"The term VPN has been co-opted by providers that provide VPN and routing services. People pay for this service so that they can mask their true location -- for example, to use video services not available in their country."

Oh, I see now! People got fooled into buying a VPN service when they wanted and anonymizer service.

"Individual users are not using the VPN to connect to each other, but instead to connect to the VPN endpoint, from where their encapsulated packets are routed to the destination website"

And then, the protocol works as designed instead of how an ignoramus thought it worked. Surprise, surprise!

Re: Bigger problems

That's grammar not politics.

Re:Bigger problems

The attack is possible due to a misconfiguration on the VPN "client". The article blames the VPN server, which is somewhat OK because the server can do some things to defend against this attack, but technically it's the client's fault. The attacker makes you connect to the VPN server's external IP address, on a port that is forwarded to the attacker.

A normal connection to a host on the internet goes like this: The VPN client sends a SYN packet through the VPN tunnel. The packet exits the VPN tunnel with the VPN server's external IP address and is routed over the internet to the destination IP address and port. The destination sees the VPN server as the source of the connection.

The attack goes like this: The attacker uses the VPN server's port forwarding feature and forwards a port on the VPN server's IP address to himself (through his VPN tunnel). Then a connection from the victim to the VPN server's IP address on the forwarded port is induced (social engineering, publishing the IP and port as a peer in a torrent, etc.). The victim makes the connection, but this will not go through the VPN tunnel, due to the way the routing is typically configured. There is a default route through the VPN tunnel, but the encrypted packets have to be routed to the VPN server and not sent into the tunnel again and again, so there is also a route that sends packets addressed to the VPN server directly through the local external interface, which sends the packet with the victim's external IP address. This packet arrives on the external interface of the VPN server and is forwarded to the attacker through his VPN tunnel. The source of that connection is the victim's real external IP address. Game over.

The misconfiguration is the coarse routing table which routes all traffic to the VPN server's external IP address outside the tunnel. It should only route encrypted packets to the VPN tunnel port outside the tunnel. Everything else, including packets to the VPN server IP address that are not part of the VPN connection itself, should be sent into the tunnel. This is not the typical configuration though.

If the client does everything correctly (i.e. sends packets to the attacker's port through the VPN), then there is a chance for a misconfiguration on the server side to allow the attacker to send packets straight to the victim.

Re:Bigger problems

"Masking one's origin is often the entire purpose of a VPN, at least from a consumer standpoint."

Uhhh... nope, why should that be the case?

The purpose of a Virtual Private Network is to, well, Virtually making a Private Network, as if it was Local (LAN is another interesting acronim here) over other non-local networks.

In other words, masking one's origin to make it appear you're part of a different network...

Re:Bigger problems

[Bengie]

If you're running a dragnet rather than spear-fishing, you just need to put the link out there somewhere

Then everyone in the world will hit that with their public IP. How can you tell the difference between the public IP of your targets and the 1,000,000,000 other IPs?

Re:Bigger problems

[turbidostato]

"To avoid a subpoena for the records of the connecting IP address, or to fool geo-IP based content restrictions"

No. That's -maybe, what a consumer would want, not what a VPN offers.

VPN offers seamless connectivity between two non-topologically contiguous data networks, not anonymity.

Re:Bigger problems

[turbidostato]

"VPN means "encrypted proxy". Nothing more, nothing less, at least in this context."

Yeah, well... and RAID means backup. But then, surprise, surprise!

Re:Bigger problems

[turbidostato]

"In other words, masking one's origin to make it appear you're part of a different network..."

Sorry no, but no. Masking oneself to look like coming from a different network is -who would imagine, "masquerading". VPN is tunneling so you don't see the multiple hops between your network and the one on the other side of the tunnel so, in fact, it more helps than hinders, the other side to know your real IP address.

Re:Bigger problems

Your problem is that the rules of grammar are arbitrary, there is no ultimate authority that determines what is and isn't grammatically correct. What your education tells you is and isn't grammatically correct may not be correct, or at least not universally agreed upon.

Re:Bigger problems

[dave420]

VPNs and anonymous proxies are both used for avoiding geo-blocking. Saying someone should only use the latter is somewhat silly, considering anonymous proxies are even more leaky than a well-configured VPN.

Re:Bigger problems

[dave420]

They don't want anonymity! They want to bypass geo-blocking. That is a perfect use for a VPN.

Re:Bigger problems

[dave420]

You really should read up about VPNs as you seem woefully misinformed about how they work and what they are used for. Seriously. It was funny before, but now it's kind of embarrassing.

Re:Bigger problems

[turbidostato]

"They want to bypass geo-blocking. That is a perfect use for a VPN."

No, it isn't, or else, this full Slashdot article wouldn't exist.

Re:Bigger problems

[Slashdot+Parent]

If you can convince a user to run a malicious payload, then having an IP address exposed is the least the victim's problems.

It's not as hard as you'd think. All you have to do is convince a user to make a connection to the VPN provider's IP at a specific port.

In a common VPN use case where the VPN user doesn't want his IP known to the world, torrenting, it's pretty easy to convince a torrent client to connect to a specific IP/port: just join the swarm on that specific IP/port and wait for your target's torrent client to connect to you! It doesn't matter how savvy the computer operator is when the torrent client is a dumb piece of software.

If I were to torrent via VPN, I'd definitely be blacklisting my VPN connection's external IP address from my torrent client!

VPN != Anonymity

If a virtual private network's purpose is to encrypt communication between one or more end points creating a virtual network on top of physical/logical network, the tunnel must know the public (or parent) addresses of the end points. How is this a problem when anonymity is not guaranteed in the first place, particularly when a VPN requires authentication?

Re: VPN != Anonymity

Actually, encryption isn't even a requirement. There's no guarantee of privacy outside the context of IP address space.

Untold requirement?

[manu0601]

TFA says that it is possible to trigger a request to the VPN gateway itself, by embedding a link to its address (example: <img src=”http://1.2.3.4:12345/x.jpg”>, and that request will show the real IP.

But in order to get the real IP? the attacker must be able to eavesdrop the traffic between the victim and the VPN gateway, right?

Re:Untold requirement?

[undecim11]

No. The attacker forwards a port on the VPN gateway. This means that the attacker recieves any traffic on that port already, including the victim's IP. All the attacker needs is the same level of VPN access that the victim is paying for.

Is that a secret?

[Marc_Hawke]

I don't know that VPN's are supposed to hide the end IP addresses. They made a tunnel through the Internet so you can 'pretend' to be on the same Local network as the remote host. (That's the Virtual part.) They also encrypt that traffic so the Internet doesn't get to listen to what you say. (That's the Private part.)

No where in VPN do I see that it's an 'anonymizing proxy' or something else that's supposed to obfuscate either of the end-points. Sure a lot of people started using VPN's for that purpose, but claiming there's a vulnerability or flaw in IPSec or OpenVPN because it's not 'anonymizing' seems like you've missed the mark a bit.

Re:Is that a secret?

[AHuxley]

The "anonymizing" part is that the VPN becomes your IP for that session.
The ip found on the net should always stop back at the VPN provider. Thats the idea of the router for a system like openvpn. Your entire OS, all apps, web use can only connect via the VPN, no leaking an ISP IP out. The idea that anyone looking back from the VPN IP can see the users ISP is not the best news.

Re:Is that a secret?

[turbidostato]

"The "anonymizing" part is that the VPN becomes your IP for that session. "

That's a side effect at most.

"Your entire OS, all apps, web use can only connect via the VPN, no leaking an ISP IP out"

Sorry, but seemingly you don't understand what you are talking about. Once stablished, your Virtual Private Network is a Network just like any other else: you can route it, bridge it, masquerade it... In fact, that's the very goal of a VPN: making two topologically disconnected networks look like connected through a topologically local network (single hop).

"The idea that anyone looking back from the VPN IP can see the users ISP is not the best news."

Well, it isn't even news: that's the exact feature that allows, for instance, to connect two distant offices' networks as if they were one hop away.

Re:Is that a secret?

[AHuxley]

Re 'Well, it isn't even news: that's the exact feature that allows, for instance, to connect two distant offices' networks as if they were one hop away."
This is more about the services offered to show a VPN providers IP vs an ISP rather than a traditional "two distant offices" secure networking.

Re:Is that a secret?

[turbidostato]

" This is more about the services offered to show a VPN providers IP vs an ISP rather than a traditional "two distant offices" secure networking."

So what? The expectation is exactly the same: what happens on a node working as ending point for a VPN with regards other networks that node has access to is up to the node, not the VPN.

So if a VPN ends in my computer I'll give for granted all other networks on my computer are visible to the other end unless I'm taking positive steps for that not being the case.

Re:Is that a secret?

[AHuxley]

The idea is the rest of the world will only ever see the VNP ip, not the users ISP ip. The leak exposed the users original ISP ip from the VPN ip.

Re:Is that a secret?

[AK+Marc]

It's not a VPN. They just use VPN protocols to connect two machines, one is the user, and the other is a proxy. VPN is used incorrectly for 90% of "VPN services" out there.

Re:Is that a secret?

Keyword: "Looks like"

With a VPN the net sees a lot of traffic going between two nodes. Even if you hide the data being sent, the routing logs alone are enough to provide a correlation trace. Unless your traffic is to a well traveled site (Hundreds of Thousands of connections a second, from different IPs around the world) and about the same volume as the "normal" traffic (I.e. if the range is between 40KB and 2MB per connection, your traffic had better fit within that range) your connection is going to be "spotted" as an anomaly. Then it's a simple matter of finding a very close initial connection time, with the same amount of data sent from both nodes to find you.

E.x. Here we have the public points on the net: A (Your ISP IP address), B & C (the VPN's IP addresses, both tunnel endpoints), and D (The Target Site's IP address).

A <---Public---> B <---Private---> C <---Public---> D

The link between B & C is the VPN, and encrypted.

The links between A & B, and C & D are public and NOT encrypted.

Your traffic goes through each link, and regardless of the encryption used you have two things running against you:

  1. The data volume at each link will go up once a session is started and will remain at that level until the session ends. (Subject to any throttling / re-transmission / etc. But the entire connection is subject to it during the data transmission. If doing an active trace where the data stream can be manipulated by inserting delays, this will give you the IP address for A and D if it persists long enough to create a behavior spike in the logs. The downside is you reveal your attack if the connection is being monitored.

In a passive correlation attack, if the data stream persists long enough to become unique, (all other connections created at the same time, with a similar data volume close before yours, your connection is the only one with the given data volume, or even if (for the really passive attacks) your connections are routine enough (happen on a given schedule; does not need to be exact), etc.) the IP addresses for both A and D will be exposed.)

  2. Even if you lack the records for A to B, or even B to C, you can still get them after the fact. Many countries have Data Retention Laws. Ideally you want to make it difficult for a trace to pick up on you, so you want to "normalize" (Multiple hops through different nodes, at different times, using data volumes similar to legit traffic even if it means more than one session to complete a transfer, etc.) your traffic as much as possible, but that kind of behavior makes it more likely for your traffic to be logged in multiple places. For any real illegal activity that someone wants to come after you for, they can simply file charges with the given ISP in the given country for the nodes that they DO have records for, using the records they have from D to C as proof of wrongdoing and hop backwards along the link. Heck they may not even have to file charges if the ISPs in between hand over the records willingly. Yeah, the ISP for B does not want to give up the records, maybe they destroyed them, but B has an ISP too. If B's ISP gives up the records for it's connection to B, B is compromised. Even if you can't get the records for a segment, the smaller the segment, with a unique enough data stream at both ends of the missing records, and you just might get around it. (All you need is some hop along the chain to get your foot in the door. Did you check the ISP for the ISP?)

Long story short a VPN is not meant to hide your identity. Even if it's encrypted. If you are using a VPN for this and haven't gotten caught, you simply haven't become a big enough target for someone to justify the expense required to catch you. Beware though, that expense is getting smaller everyday. If you really need to hide your traffic you may want to search for better options than a VPN. (Best option would be something that allows for Plausible Deniability but beyond using someone else's computer and internet connection, or sneakernet, I don't have any real suggestions.)

Re: Is that a secret?

No, the private part typically means the encapsulated traffic is using a non-Internet routable address space.

Security services vs VPN?

[AHuxley]

Ideas like this show why VPN use was not a huge issue "Revealed: how US and UK spy agencies defeat internet privacy and security" (6 September 2013)
http://www.theguardian.com/wor...
".. decode the encrypted traffic certified by three major (unnamed) internet companies and 30 types of Virtual Private Network (VPN) – used by businesses to
provide secure remote access .."
or under the new UK net laws "Snooper's Charter: Why aren't VPNs and Tor mentioned in the Investigatory Powers Bill?" (November 5, 2015)
http://www.ibtimes.co.uk/snoop...
".. but surprisingly, nowhere in the proposal does it mention the use of Virtual Private Networks (VPN)."

What can be done? Some creative way for an internal double VPN?
This could also show that VPN use is vulnerable at a city, state, private sector or federal level/budget rather than just a shorter list of advanced nations with a domestic collect it all capability.

Re:Security services vs VPN?

What can be done? Some creative way for an internal double VPN?

SSH over VPN is pretty easy, but it does use more CPU at both ends. That of course only hides the content and others on the VPN may be able to see where it's going, while those in control of the VPN will be able to work out a little bit more.

Re:Security services vs VPN?

[AHuxley]

The issue is that your isp ip from the VPN ip could be discovered at a low cost and by a lot of different interested groups.
A good wired modern router with OpenVPN support will often offer a fast, newer dual core cpu that can support the needed encryption.
That should cover any leaking from within the users OS, apps, software, malware.

From the ad's are not news dept.

Please don't buy into this bullshit anymore people, this is an advertisement masquerading as a news story.

Obvious lesson to everyone

Obvious lesson to everyone - if you can't trust everyone on the network you are on then do somethign about to keep them out.
 
For some reason people forgot about that with a VPN and are not thinking that they are on the same network as many others on the same VPN. Part of that is because the things used to be mainly used in situations where everybody on the same VPN was logging into the same corporate, univerity or whatever network. Now since the things are being used on a commercial scale to provide some privacy or avoid stupid barriers based on geographical location (eg. audiobooks, camping equipment whatever that vendors will not sell to you based on geographical address), then your VPN address is on there with a pile of ones from other people from all over the place.
 
So if you are on a VPN that provides access to people you do not personally know then it's best to treat the network as if it's out naked on the wild internet. Firewall it as if there are people out there that want to violate your cute litte computer and turn it into a spambot.

Dual VPN

People I know run two VPNs. Connect the first, then the second. Programs access the internet through the second.

Re:Lock your doors

now how about we have a list of all terrorist incidents and see if one religious group stands out above all others.How about you face reality instead of making snarky comments?

This is absolutely nothing

[dilvish_the_damned]

Exposing internal IP addressses to other entities inside the VPN would be the 'N' part of VPN. The Private, or 'P' part is really meant for everone else. Why are these people short a whiteboard on this?

Re:This is absolutely nothing

This isn't about exposing internal IP addresses.

The idea is that the victim's routing table allows access to the VPN's server, in order to route your encrypted traffic there.

The attacker set's up port forwarding on the VPN, and gets you to connect to that forwarded port somehow.

Because your traffic to the VPN isn't tunneled through the VPN, your real IP address is used to connect to the VPN server on that port, which then gets forwarded to the attacker and then they can see your real IP address.

Re:This is absolutely nothing

This isn't about exposing internal IP addresses.

The idea is that the victim's routing table allows access to the VPN's server, in order to route your encrypted traffic there.

The attacker set's up port forwarding on the VPN, and gets you to connect to that forwarded port somehow.

Because your traffic to the VPN isn't tunneled through the VPN, your real IP address is used to connect to the VPN server on that port, which then gets forwarded to the attacker and then they can see your real IP address.

correct, there is always a host route to the vpn-provide, which must bypass the tunnel. So the solution is to block all outgoing ports to the vpn server, except 1194 or whatever vpn port is used, and possibly DNS (however I'd rather use my own DNS server, which connects through a different vpn to 8.8.8.8)
Also, by cascading two vpn-tunnels this attack is easily foiled

How it actually works

[itsme1234]

First of all this assumes the VPN incoming and outgoing IP is the same. This would be expected if you're using your home router as your VPN as you have only one IP but I don't think it should be for larger commercial providers, especially if you're using them to "hide you".

Then it assumes the attacker can open ports on that IP (as a feature offered by the provider). If you connect to that IP:port you'll be doing it over your normal non-encrypted interface because of the way the routing table is configured on your machine.

This is easy to prevent and if you are using the VPN to "hide" you should already have such mechanisms in place (mostly to make sure you aren't leaking packets over your normal interface once your VPN and the network interface/route associated with it is down). One way is to personal-firewall-limit your "problem" apps (like browser or torrent client) to the VPN interface so they can never talk over your normal network. This can still leak via more advanced attacks (is flash spawned as separated process?) so probably the only safe way would be to block in your (external to VPN machine) firewall EVERYTHING except vpn_ip:port.

Re: They embed Linux and you get that

PPTP is from Microsoft, champ. -PCP

that's what a proxy is for, not a VPN

[raymorris]

If that's your goal, you should be using a SOCKS proxy. VPNs are designed for an entirely different purpose.

So while there is some truth to your statement, some people do that, their actions make about as much sense as:

Inserting a screw is often the entire purpose of a hammer, at least from a clueless standpoint.

You CAN hammer a screw in, and many people have done it. I have, once. Sometimes it works. But it would be stupid to say that a hammer is broken because it's not very good for inserting screws. It's the wrong tool for the job. If you want to install screws, use a screwdriver. If you want to have traffic for a particular application (such as browsing or BitTorrent) come through a different IP, use a proxy. If you want to securely access a LAN remotely, use a VPN.

Re:that's what a proxy is for, not a VPN

[sims+2]

As far as I can tell from the first page of google "incoming connections socks proxy" socks doesn't really allow for incoming connections. However I see many vpn providers support port forwarding.

I've been wanting to setup a ftp server at home for a while but I don't want to pay the extra cash for a static ip.

How would you go about it?

Vpn?
Web hosted ftp?
Or something else?

Re:that's what a proxy is for, not a VPN

[sims+2]

The reason I mention static ip is that's the only thing my isp offers that will bypass their Nat. While a permanent static ipv4 address would be handy it would also cost about the same as 10 years of vpn service.

I would hope that I will be able to get real broadband within 10 years. But att has been saying they would for the last 15 years or so.

VPN Purpose And Function

While I know that it has become popular to use VPN services as a method of trying to achieve anonymity, almost exclusively for circumvention and subversion, that was never a design goal of VPNs.

The purpose of VPNs was to create a private network where machines could exchange data without interception. IP addresses are almost completely irrelevant in this use case. The intent was to secure the content of the data transmission, not to hide your identity as a software pirate or to conceal your location from Netflix.

IPSec and openVPN remain perfectly fit for purpose. PPTP was always crap, but even it remains fit for purpose. That your desired pupprpose is more akin to the design goals of ToR is not the fault of VPNs.

Not what VPNs are for

[Tony+Isaac]

The point of a VPN is not to keep your local IP address secret. The point is to establish a secure connection between your computer, and a remote private network. I would argue that if a VPN kept your local IP address a secret, this would itself be a security vulnerability, from the perspective of the owner of the private network!

SpearPhishing only?

[Fencepost]

Reading through this, it seems like it's much more likely to be useful for targeted attacks against people who are known to be actively moving all their traffic over VPNs.

Basically if the attacker is able to host a service (via port forwarding) on the IP of the same VPN endpoint that the target is going out through, then when the target visits that service (via phishing email, malicious website linked images, etc.) the VPN service will allow the attacker to see the origin of the request.

what's this goal? vps or dyndns and sftp/scp

[raymorris]

> How would you go about it?
> Vpn?
> Web hosted ftp?
> Or something else?

What's the purpose, the goal? A $5 vps might be a solution, Google Drive might be. For being just like running an ftp server at home, dyndns solves the dynamic IP problem , sftp simplifies port forwarding and makes it more secure, but doesn't 100% solve the NAT issue. Some sort of vpn, possibly via an ssh port forward, to an external service may be needed if you must accept remote connctions conveniently. I suppose the actual purpose determines the best solution.

Re:what's this goal? vps or dyndns and sftp/scp

[sims+2]

The root of the problem is I have one of those iPads with only 16GB of memory. So I can only fit a small amount of my library (after apps and whatever else only about 2GB left for media) if i had gotten one of those 128GB iPads or a expandable android tablet I wouldn't have have much of an issue.

So my goal is to be able to in the fewest steps possible be able to transfer files to the oplayer app on the ipad as needed the app only supports http,samba,ftp,Dropbox and wd wifi storage.

The http support is flakey and afaik samba is considered to be unsafe to use as an online sever (not that I haven't seen it done anyway). I've never used Dropbox but I looked at the prices today it seems rather high even compared to a vps. Wd wifi storage sounds like some proprietary mess I'm not going to bother looking up.

If I get a vpn with port forwarding I think I will be able to locally host ftp as well as other services in the future if needed. Same as with a static ip.

A vps running a ftp sever and btsync would also do fine.

Afaik google drive has no ftp access and id rather not invite g+ to any other part of my life as google is clingy enough as it is gah.

I've run services before on my home connection using afraid.org dyndns with a dynamic ip back before isp switched to nat'ed addresses.

Ssh port forward through an external service? What type of external service are you talking about? A vps? Sounds slightly more difficult to setup. But last year I was tunneling my dns traffic through the connection at work as my isp intercepts dns traffic. The line at work has a uplink speed of 1mbps so its pretty useless for forwarding anything high bandwith.

Reasonable speed is a requirement I have roughly 7mbps upload at home a us based vps should be faster as my downlink speed varies depending on where I am from 12 to 40mbps but most of my stuff is in the 100 to 300MB range so even with 7mbps the transfer times are reasonable but 1mbps is friggin ridiculous.

Also I have used a wifi drive in the past but now that have 10mbps+ pretty much everywhere I just don't see the need for it as its one more thing to keep up with and charge.

Gah how do these allways end up so long.
Thank you for your advice anyway.

That's interesting

[raymorris]

That's an interesting situation. I can certainly see a VPN with a port forward as being a reasonable solution, especially if you need a lot of storage. I'm assuming your ISP doesn't -also- offer IPv6 as well as the NAT IPv4.

SSH port forwarding is a fast, easy way to set up a VPN with port forwarding in one command. Even if you don't use it for this purpose, it's a good tool to have in your toolbox. It requires that you have a shell account internet-facing box, which might be a $5/month web hosting account. On Linux, Mac, Unix, BSD etc the command is:
ssh -R 2121:localhost:21 ShellAccountHost.com

That means connecting to port 2121 on ShellAccountHost.com actually connects to port 21 on your local machine. On Windows, you can use puTTY to SSH, including port forwards:
http://howto.ccs.neu.edu/howto...
SSH port forwarding is very flexible and you can set up new ports with one quick command. That flexibility does mean the syntax takes some getting used to. For a long time I used a script like this on my Mac to make it accessible from an internet-facing IP:

while ssh -R 2222:localhost:22 ShellAccountHost.com
do
      sleep 30
done

If you have a recent iPad, there are Lightning flash drives that clip over the iPad.

A 50 GB "web hosting" account from Amerinoc.com provides FTP and http for $5-$10/month.