Jump to content
Not connected, Your IP: 54.211.135.32

Recommended Posts

Hi!

I would like to start a discussion on the following paper on IPv6 and DNS security issues, in particular because it explicitly mentions AirVPN as vulnerable:

 

"A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients"

http://www.degruyter.com/view/j/popets.2015.1.issue-1/popets-2015-0006/popets-2015-0006.xml

(click on "Full Text PDF")

 

The paper discusses two separate attacks:

 

1. IPv6 Man-in-the-Middle through Router Advertisement

This has been discussed for years and there are several exploitation tools available to mount an attack yet awareness of the problem seems to be very very low. Essentially the problem is that most OSes have IPv6 enabled and prefer it over IPv4, yet almost all local networks are IPv4 only. An attacker can advertise himself as an IPv6 router, and your OS will start sending all your traffic to him because IPv6 is preferred. He only needs to be on the same local network as you are, which is the case for public WiFi etc.

There are several news items giving an easy explanation of the attack, e.g. https://www.virusbtn.com/blog/2013/08_12.xml

 

The attack is also known as "SLAAC Attack" as dicussed already in 2011 here:

http://resources.infosecinstitute.com/slaac-attack/

 

Tools to try it out:

- SuddenSix (Linux bash script) https://github.com/Neohapsis/suddensix

Presented at DEFCON 21 (2013):  https://www.defcon.org/images/defcon-21/dc-21-presentations/Behrens-Bandelgar/DEFCON-21-Behrens-Bandelgar-MITM-All-The-IPv6-Things.pdf

- Evil FOCA (Windows, also does DNS Hijacking)  https://www.elevenpaths.com/labstools/evil-foca/index.html

Also Presented at DEFCON 21: http://www.slideshare.net/chemai64/defcon-21-fear-the-evil-foca-mitm-attacks-using-ipv6

- THC-IPV6 with fake_router6 (Linux) https://www.thc.org/thc-ipv6/

 

Defense against the attack is very simple: Turn off IPv6 on your machines!

Windows: https://support.microsoft.com/en-us/kb/929852

Linux: http://www.binarytides.com/disable-ipv6-ubuntu/

Mac: http://osxdaily.com/2014/04/18/disable-ipv6-mac-os-x/

Android: https://play.google.com/store/apps/details?id=de.lennartschoch.disableipv6&hl=en

 

AirVPN can help by adding functionality to the AirVPN client to set IPv6 routing tables as well and make sure IPv6 traffic goes to the VPN interface.

 

2. DNS Hijacking through route injection

This more advanced attack also comes with more prerequisites, the attacker needs to control the WiFi router. Given generally poor router security this is not too much to ask though. When the attacker sees you are connecting to a VPN, he notes the VPN provider you are connecting to and creates a virtual interface on the router with the IP address of the DNS server used for the VPN. With a low DHCP lease period he forces you to renew your DHCP lease and now gives you  the virtual interface as default gateway. This messes up your routing tables enough so that all your DNS requests will now go to the attacker-controlled router and not go through your VPN tunnel.

 

A proposed way to detect the attack would be for the AirVPN client to do repeated DNS checks for specific domains that only the AirVPN DNS servers can resolve. A way to fully mitigate the attack seems to be to have the default gateway for the VPN also be the DNS server.

 

If it's any consolation, of the 14 VPN providers tested, only four had clients that protected against IPv6 leaks and only one was not vulnerable to DNS hijacking.

Share this post


Link to post

Hello!

 

AirVPN is not vulnerable to DNS hi-jacking because VPN DNS server and gateway IP addresses match.

 

The paper is outdated because their tests were performed on VPN servers with a /30 topology that we kept to maintain compatibility with Windows OpenVPN 2.0.9 and some older versions. After the draft paper preview they kindly provided us with months ago, we decided to speed up Windows OpenVPN 2.0.9 support drop, which made sense in 2010 but not now.

 

Current topology allows to have the same IP address for VPN DNS server and VPN gateway, solving the vulnerability at its roots, months before the publication of the paper.

 

Unfortunately they could not manage to fix the paper, purely for problems of time we suppose, which remained outdated.

 

The quickest way to prevent IPv6 leaks with our service is just enabling Network Lock with a click, for those who don't want to disable IPv6. You can also disable IPv6 with a click, provided that you run our client Eddie for Windows or OS X (version 2.9 or higher is required; feature not available in Eddie for Linux).

 

Kind regards

Share this post


Link to post

 

AirVPN is not vulnerable to DNS hi-jacking because VPN DNS server and gateway IP addresses match.

 

Current topology allows to have the same IP address for VPN DNS server and VPN gateway, solving the vulnerability at its roots, months before the publication of the paper.

 

If you look @ this

 

tYreakf.jpg

 

you can see, that this is not every time true


Was wir an Niedern rühmen als Geduld, ist blasse Feigheit in der Brust - William Shakespeare

Share this post


Link to post

Article:

http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf

 

If you could please make the necessary changes to prevent this from happening, or write a guide (if not already written, I personally disable IPv6) and fixing the DNS Hijacking.

 

There are several ways to do this listed in the article.

 

More or less, I just want to leave this here for reference and for the staff's awareness.

Share this post


Link to post

you can see, that this is not every time true

 

Hello!

 

You're wrong. You're confusing the DNS server queried by the VPN server (which can be anything you like - in this case one of our failover DNS servers) with the DNS server in the VPN. If you inquire your system (with ifconfig, ipconfig etc.) you see that VPN DNS and gateway IP addresses match, and this fact alone makes the attack (obviously) fail.

 

Kind regards

Share this post


Link to post

Article:

http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf

 

If you could please make the necessary changes to prevent this from happening, or write a guide (if not already written, I personally disable IPv6) and fixing the DNS Hijacking.

 

Hello,

 

please don't believe blindly what the paper says and test yourself, the problems in the /30 topology servers had been already addressed last winter and block of IPv6 through Network Lock has already been featured like a year ago or so (for those who did not want to disable IPv6: of course if you already disable IPv6 that was redundant).

 

Please see also some clarifications we provided in May: https://airvpn.org/topic/14231-ipv6-leakage-and-dns-hijacking/?do=findComment&comment=27633

 

Please note that the reasearchers were perfectly aware of that, months before the above article and when the paper was still in draft, but they did not fix the paper.

 

Kind regards

Share this post


Link to post

Study finds significant security flaws in popular VPN services

 

A group of researchers from Sapienza University of Rome and Queen Mary University of London have published a study detailing significant security flaws in 16 commercial VPN services.

 

Hole article here

 

 

Share this post


Link to post

the problems in the /30 topology servers had been already addressed last winter and block of IPv6 through Network Lock has already been featured like a year ago or so

asdas

Share this post


Link to post

Study finds significant security flaws in popular VPN services

 

A group of researchers from Sapienza University of Rome and Queen Mary University of London have published a study detailing significant security flaws in 16 commercial VPN services.

 

Hole article here

 

Sometimes I really worry about the human race.

Share this post


Link to post

I recently came across this article in Techspot and I am providing the link for the same. Airvpn how do you respond to this study's findings?

 

http://www.techspot.com/news/61224-study-discovers-security-vulnerabilities-14-popular-vpn-services.html

 

The answer was provided months ago on this very same thread. https://airvpn.org/topic/14231-ipv6-leakage-and-dns-hijacking/?do=findComment&comment=27633

 

Kind regards

Share this post


Link to post

A group of retards from Sapienza University of Rome and Queen Mary University of London have published a study detailing significant security flaws in 16 commercial VPN services.

 

Hole article moot

 

Fixed that for you.

Share this post


Link to post

The quickest way to prevent IPv6 leaks with our service is just enabling Network Lock with a click, for those who don't want to disable IPv6. You can also disable IPv6 with a click, provided that you run our client Eddie for Windows or OS X (version 2.9 or higher is required; feature not available in Eddie for Linux).

 

Kind regards

 

This is good, but I've always been a bit confused by the IPv6 options. It can be either "none" or "disable", right? Disable seems obvious, but what does none do? Just do nothing/ignore IPv6 traffic? I feel like the wording could be a bit clearer because "none" could also be taken to mean that it allows no IPv6. Or "disable" could mean that you're disabling the option to control IPv6.

 

Also, is that feature going to come to Linux in the future?

Share this post


Link to post

AirVPN "solution" to IPv6 leakage is to offer a "network lock" which disables IPv6 traffic on the host.

I would rather call that a workaround.

A true solution would redirect IPv6 through the VPN tunnel as well, which of course implies that IPv6 is implemented and supported on AirVPN servers. As s side note, OpenVPN supports IPv6 as of 2.3.0.

That will soon be inescapable: IPv4 addresses allocations waiting lists are starting to show up on ARIN's website until they run out of IPv4 addresses entirely... "we will continue working in Phase 4 as we move toward full depletion of ARIN's available IPv4 inventory."

Share this post


Link to post

Popular VPNs leak data, don't offer promised privacy and anonymity

http://www.net-security.org/secworld.php?id=18571

 

The article states that AirVPN is vulnerable to IPv6 leak and DNS hijacking. Would AIrVPN mind to comment?

 

Basically the article tries to convey:

"The researchers have also offered possible countermeasures to prevent IPv6 leakage and DNS hijacking, but noted that for anonymity and privacy, users should turn to Tor, not VPNs."

 

As I personally do use VPN for privacy, I am very concerned. Especially as I recently learned how easily my IP can be uncloaked via webRTC which is usually enabled in every browser and in some browsers can't be disabled easily.

 

vpn-30062015-small.jpg

 

Thanks for your comment!

 

Cheers

Share this post


Link to post

Popular VPNs leak data, don't offer promised privacy and anonymity

http://www.net-security.org/secworld.php?id=18571

 

The article states that AirVPN is vulnerable to IPv6 leak and DNS hijacking. Would AIrVPN mind to comment?

 

Basically the article tries to convey:

"The researchers have also offered possible countermeasures to prevent IPv6 leakage and DNS hijacking, but noted that for anonymity and privacy, users should turn to Tor, not VPNs."

 

As I personally do use VPN for privacy, I am very concerned. Especially as I recently learned how easily my IP can be uncloaked via webRTC which is usually enabled in every browser and in some browsers can't be disabled easily.

 

vpn-30062015-small.jpg

 

Thanks for your comment!

 

Cheers

Try searching or even reading some of the forum content before posting something that many already have. Begin here or here or here

Share this post


Link to post

AirVPN "solution" to IPv6 leakage is to offer a "network lock" which disables IPv6 traffic on the host.

I would rather call that a workaround.

A true solution would redirect IPv6 through the VPN tunnel as well, which of course implies that IPv6 is implemented and supported on AirVPN servers. As s side note, OpenVPN supports IPv6 as of 2.3.0.

That will soon be inescapable: IPv4 addresses allocations waiting lists are starting to show up on ARIN's website until they run out of IPv4 addresses entirely... "we will continue working in Phase 4 as we move toward full depletion of ARIN's available IPv4 inventory."

 

Hello!

 

Of course, but there are critical problems with IPv6 which must be carefully addressed. IPv6 must give us the same (or higher) security we have with IPv4 and the same anonymity layer strength. This is currently not the case, unfortunately. Until then, IPv6 is not an option.

 

Kind regards

Share this post


Link to post

IPv6 is bad for anonymity. The whole point is to stick 100 users behind a NAT with the same IPv4 address.

Then your traffic is mixed with others, and it makes harder "for the internet" to tell who is who.

 

With IPv6 providers will just allocate a routable /64 to each user, killing anonymity.

The only line of defence for you in this case will be the hope that they didn't configure their logging properly to handle IPv6


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

his is good, but I've always been a bit confused by the IPv6 options. It can be either "none" or "disable", right? Disable seems obvious, but what does none do? Just do nothing/ignore IPv6 traffic? I feel like the wording could be a bit clearer because "none" could also be taken to mean that it allows no IPv6. Or "disable" could mean that you're disabling the option to control IPv6.

 

Also, is that feature going to come to Linux in the future?

Good question. Still not answered after 3 days. Win client help does not "know" the feature. Anybody of AIRVPN staff willing to answer? Or am I missing some doc?

Share this post


Link to post

I saw this study today and came to ask about it, I'm glad the airvpn staff were notified and able to fix it before publication. They also, and it's good advice, recommend to check out http://www.ipleak.net - if you're using Firefox it shows how to disable WebRTC near the bottom which is essential.

 

I agree with the comments about IPV6 and anonymity. If you're connected to an ISP or organization using Stateless DHCP (SLAAC), the MAC address (which is burned in to your network card/wireless interface; assuming you haven't spoofed it or are using something disposable) is used in the creation of the interface id portion of the address (EUI-64) and is trackable directly to your equipment.

 

Since the whole point is to have a unique address you can't use the IPV4 defense of "someone else had the IP when XYZ happened". Even if you're assigned one that doesn't use this process, the address space is so huge as to make re-using the addresses unnecessary which means you can be tracked with far greater accuracy.

Share this post


Link to post

I think IPV 6 leakage is a huge topic and a hole in most VPN coverage including Airvpn. But I have not found a vpn service that works on IPV 6. For months I used Airvpn as well as other vpns on my android tablet thinking my IP address was hidden, because they all will connect with it and screen some traffic, but my IP, like many these days, aggressively pushes IPV 6 addresses and my tablet will leak whatever address that is, because one cannot disable IPV 6 in the android OS without rooting it. My research says that rooting is iffy and negates any resell value; plus the apps that claim to turn off IPV6 on a rooted device are iffy and frequently "forget"

 

As android has the largest  market share of mobile devices (phones and tablets) and more and more IPs are pushing IPV 6, there is a huge security gap particularly fo those who travel a lot and are dependent on public wireless internet; even secured home devices are vulnerable to friendly neigborhood hacking hobbyists. Most routers do not allow disabling IPV 6.

 

Airvpn is the best vpn service I have ever used and no problem on my Windows machine where IPV 6 can be disabled, couple with a network lock, but not so good on my mobile devices.

 

Anyone know of any work arounds I have not discovered?

Share this post


Link to post

I saw this study today and came to ask about it, I'm glad the airvpn staff were notified and able to fix it before publication. They also, and it's good advice, recommend to check out http://www.ipleak.net - if you're using Firefox it shows how to disable WebRTC near the bottom which is essential.

 

I agree with the comments about IPV6 and anonymity. If you're connected to an ISP or organization using Stateless DHCP (SLAAC), the MAC address (which is burned in to your network card/wireless interface; assuming you haven't spoofed it or are using something disposable) is used in the creation of the interface id portion of the address (EUI-64) and is trackable directly to your equipment.

 

Since the whole point is to have a unique address you can't use the IPV4 defense of "someone else had the IP when XYZ happened". Even if you're assigned one that doesn't use this process, the address space is so huge as to make re-using the addresses unnecessary which means you can be tracked with far greater accuracy.

 

​isn't that the whole point of using a vpn service with ipv6 support ? so the traffic originates from the vpn ipv6 address which hopefully provides for several users.

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...