WintermuteNet 1 Posted ... Hi! I would like to start a discussion on the following paper on IPv6 and DNS security issues, in particular because it explicitly mentions AirVPN as vulnerable: (STAFF EDIT: by a gross mistake) "A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients" http://www.degruyter.com/view/j/popets.2015.1.issue-1/popets-2015-0006/popets-2015-0006.xml (click on "Full Text PDF") The paper discusses two separate attacks: 1. IPv6 Man-in-the-Middle through Router Advertisement This has been discussed for years and there are several exploitation tools available to mount an attack yet awareness of the problem seems to be very very low. Essentially the problem is that most OSes have IPv6 enabled and prefer it over IPv4, yet almost all local networks are IPv4 only. An attacker can advertise himself as an IPv6 router, and your OS will start sending all your traffic to him because IPv6 is preferred. He only needs to be on the same local network as you are, which is the case for public WiFi etc. There are several news items giving an easy explanation of the attack, e.g. https://www.virusbtn.com/blog/2013/08_12.xml The attack is also known as "SLAAC Attack" as dicussed already in 2011 here: http://resources.infosecinstitute.com/slaac-attack/ Tools to try it out: - SuddenSix (Linux bash script) https://github.com/Neohapsis/suddensix Presented at DEFCON 21 (2013): https://www.defcon.org/images/defcon-21/dc-21-presentations/Behrens-Bandelgar/DEFCON-21-Behrens-Bandelgar-MITM-All-The-IPv6-Things.pdf - Evil FOCA (Windows, also does DNS Hijacking) https://www.elevenpaths.com/labstools/evil-foca/index.html Also Presented at DEFCON 21: http://www.slideshare.net/chemai64/defcon-21-fear-the-evil-foca-mitm-attacks-using-ipv6 - THC-IPV6 with fake_router6 (Linux) https://www.thc.org/thc-ipv6/ Defense against the attack is very simple: Turn off IPv6 on your machines! Windows: https://support.microsoft.com/en-us/kb/929852 Linux: http://www.binarytides.com/disable-ipv6-ubuntu/ Mac: http://osxdaily.com/2014/04/18/disable-ipv6-mac-os-x/ Android: https://play.google.com/store/apps/details?id=de.lennartschoch.disableipv6&hl=en AirVPN can help by adding functionality to the AirVPN client to set IPv6 routing tables as well and make sure IPv6 traffic goes to the VPN interface. 2. DNS Hijacking through route injection This more advanced attack also comes with more prerequisites, the attacker needs to control the WiFi router. Given generally poor router security this is not too much to ask though. When the attacker sees you are connecting to a VPN, he notes the VPN provider you are connecting to and creates a virtual interface on the router with the IP address of the DNS server used for the VPN. With a low DHCP lease period he forces you to renew your DHCP lease and now gives you the virtual interface as default gateway. This messes up your routing tables enough so that all your DNS requests will now go to the attacker-controlled router and not go through your VPN tunnel. A proposed way to detect the attack would be for the AirVPN client to do repeated DNS checks for specific domains that only the AirVPN DNS servers can resolve. A way to fully mitigate the attack seems to be to have the default gateway for the VPN also be the DNS server. If it's any consolation, of the 14 VPN providers tested, only four had clients that protected against IPv6 leaks and only one was not vulnerable to DNS hijacking. Share this post Link to post
Staff 10014 Posted ... Hello! AirVPN is not vulnerable to DNS hi-jacking because VPN DNS server and gateway IP addresses match. The paper is outdated because their tests were performed on VPN servers with a /30 topology that we kept to maintain compatibility with Windows OpenVPN 2.0.9 and some older versions. After the draft paper preview they kindly provided us with months ago, we decided to speed up Windows OpenVPN 2.0.9 support drop, which made sense in 2010 but not now. Current topology allows to have the same IP address for VPN DNS server and VPN gateway, solving the vulnerability at its roots, months before the publication of the paper. Unfortunately they could not manage to fix the paper, purely for problems of time we suppose, which remained outdated. The quickest way to prevent IPv6 leaks with our service is just enabling Network Lock with a click, for those who don't want to disable IPv6. You can also disable IPv6 with a click, provided that you run our client Eddie for Windows or OS X (version 2.9 or higher is required; feature not available in Eddie for Linux).EDIT: we wish now to underline that since 2018 we also support IPv6 and IPv6 over IPv4. Kind regards 3 rickjames, Artful Dodger and Jefkim666 reacted to this Share this post Link to post
WintermuteNet 1 Posted ... Wow, you guys really are on top of things! Thank you for addressing everything and I hope the authors of the paper manage to update it. 1 Oldkrow reacted to this Share this post Link to post