Jump to content
Not connected, Your IP: 54.227.76.35
hugomueller

IP leak affecting VPN providers with port forwarding

Recommended Posts

https://www.perfect-privacy.com/blog/2015/11/26/ip-leak-vulnerability-affecting-vpn-providers-with-port-forwarding/

 

 

We have tested this with nine prominent VPN providers that offer port forwarding.

 

 

Was AirVPN one of the tested services? Is AirVPN affected to this issue?

 

Hello!

 

It's a correlation attack through some social engineering support. A solution is having separate entry and exit-IP addresses on each VPN server, just like in AirVPN.

 

The astounding information in the article, if true, is that nine [five, fixed by pj] providers have not taken care of that. The attack in itself is very trivial and is quite common knowledge in consumers' VPN industry. Perhaps the five providers cited in the article are not "VPN industry", but amateurish services?

 

Kind regards

Share this post


Link to post

Where did you get the idea of "nine providers have not taken care of that" when the article says that "We have tested this with nine prominent VPN providers"..." Five of those were vulnerable to the attack and have been notified".

 

PIA, as mentioned in the TorrentFreak article (and would be your biggest competitor) took care of it and offered a $5000 bounty, would you guys also do the same?

Share this post


Link to post

Hi,

 

I am an original founder of AirVPN and I am aware of this "problem" since about 2002 when I started using OpenVPN. I don't understand "so much ado about nothing". It's not even a vulnerability, it's simply how the Internet works.

 

Articles like this one http://0x27.me/2015/11/26/Practical-Exploitation-of-Portfail.html could have been nice like thirteen or fourteen years ago, but now...?

 

Maybe it's just a a sad picture of how unprofessional nowadays VPN services have become, or maybe it's only that IT culture and knowledge have still a long way to go. To a techie eye, these articles are very detrimental for consumers' VPN services. They could cast a shadow of lack of professionalism on the whole industry. AirVPN personnel competence standards have always been and will always be at a (much) higher level than these articles might make you think.

 

Ciao!

Share this post


Link to post

Where did you get the idea of "nine providers have not taken care of that" when the article says that "We have tested this with nine prominent VPN providers"..." Five of those were vulnerable to the attack and have been notified".

 

PIA, as mentioned in the TorrentFreak article (and would be your biggest competitor) took care of it and offered a $5000 bounty, would you guys also do the same?

 

 

A 5000 USD reward to be notified how the Internet works? Don't be joking. :)

 

For serious vulnerabilities unknown to us then yes, we could invest that amount of money. The "perfect, invulnerable system" does not exist, that's it. About PIA... well it's a giant in size if compared to AirVPN, and this makes this whole affair very odd, to say the least.

Share this post


Link to post

and this makes this whole affair very odd, to say the least.

 

That is something I can agree with. It was well published at the time of Snowden leaks that the NSA would take advantages of exploits and use them to their advantage. This attack however seems too specific to really be done on a "mass scale" of sorts but could be used to target an individual if there was a need.

 

I still say people should be more concerned at the WebRTC leaks and other such technology which is always wanting to bypass any security you have in place. It's a dangerous game of cat and mouse and only your own knowledge and expertise can save you from any such attack. 

Share this post


Link to post

kudos to PerfectP, they said the Emperor is nude. PIA seems more and more a bell and whistles service for gullible ppl. Remember HMA too! if this incident does not open your eyes then nothing can. Air is spartan and Spartans are tough and know what they do

Share this post


Link to post

The crucial part here is knowing which VPN server your victim is connected to, and the page where the victim has

to visit in order to "leak" his IP.

 

So in case of AirVPN, which is a mid-small sized provider, the attacker will have to buy 40 accounts. 40x3 connections

to be able to "cover" all AirVPN's ~100 exit servers.

 

PIA boasts to have 3k servers so in that case making the attack feasible will require even more effort.

 

There are much simpler attack vectors to unmask VPN users with fail-open OpenVPN connections.

An old classic one is to initiate a DDoS attack on your victim VPN address, let's say even when you are on IRC,

where poorly configured VPN users will timeout their VPN connection and will re-connect to the IRC server with their

own address. pj said something about 2002 this is exactly the kind of things I remember from that era.

 

Stay safe and configure your browsers to NOT connect to any port higher than 1024. For many reasons.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Seems like there was a post on Reddit about PIA's patch not working which also mentioned AirVPN having failed in the test for this vulnerability. Reddit post has been removed but poster has re-posted the claim in PIA's forums. Link below:

 

 

https://www.privateinternetaccess.com/forum/discussion/19289/pia-still-vulnerable-to-port-fail-leak#latest

 

Tested about 80 servers and they are all still leaking!

Sounds like PIA didn’t actually test there patch! 

IPVANISH failed too.

AirVPN Failed

TorGuard passed.. 

Share this post


Link to post

 

Seems like there was a post on Reddit about PIA's patch not working which also mentioned AirVPN having failed in the test for this vulnerability. Reddit post has been removed but poster has re-posted the claim in PIA's forums. Link below:

 

 

https://www.privateinternetaccess.com/forum/discussion/19289/pia-still-vulnerable-to-port-fail-leak#latest

 

Tested about 80 servers and they are all still leaking!

Sounds like PIA didn’t actually test there patch! 

IPVANISH failed too.

AirVPN Failed

TorGuard passed.. 

 

Now what doesn't add up for AirVPN to actually FAIL is this, on the https://www.perfect-privacy.com/blog/2015/11/26/ip-leak-vulnerability-affecting-vpn-providers-with-port-forwarding/ page there is this:

Mitigation

Affected VPN providers should implement one of the following:

  • Have multiple IP addresses, allow incoming connections to ip1, exit connections through ip2-ipx, have portforwardings on ip2-ipx
  • On Client connect set server side firewall rule to block access from Client real ip to portforwardings that are not his own.

and AirVPN has BOTH, the entry address used is different from the exit address. In any way even if that method was to fail, the network lock blocks any sort of connection on every port to your real IP except those of AirVPN which the hacker cannot get their hands on which means their attempt would fail

Share this post


Link to post

So in case of AirVPN, which is a mid-small sized provider, the attacker will have to buy 40 accounts. 40x3 connections

to be able to "cover" all AirVPN's ~100 exit servers.

Hello,

 

as you very well know, anyway the "attack" would fail on AirVPN, because clients connect to an IP address, and are reachable on a different IP address only.

 

Kind regards

Share this post


Link to post

AirVPN is not vulnerable, because the VPN server you're connecting to (with your real ip, obviously) is for example 1.2.3.4. For this, route has been set, but the ip that can be used for incoming connections is never 1.2.3.4, but will be something like 1.2.3.5. And since connections to 1.2.3.5 will just be routed via your VPN tunnel (like any other public ip), you are not vulnerable to this attack vector.

Share this post


Link to post

Hi,

 

I am an original founder of AirVPN and I am aware of this "problem" since about 2002 when I started using OpenVPN. I don't understand "so much ado about nothing". It's not even a vulnerability, it's simply how the Internet works.

 

Articles like this one http://0x27.me/2015/11/26/Practical-Exploitation-of-Portfail.html could have been nice like thirteen or fourteen years ago, but now...?

 

Maybe it's just a a sad picture of how unprofessional nowadays VPN services have become, or maybe it's only that IT culture and knowledge have still a long way to go. To a techie eye, these articles are very detrimental for consumers' VPN services. They could cast a shadow of lack of professionalism on the whole industry. AirVPN personnel competence standards have always been and will always be at a (much) higher level than these articles might make you think.

 

Ciao!

 

With enough time old becomes new and new becomes old.

Share this post


Link to post

It looks to me like simple marketing.  It basically is a "don't use any other VPN they are not secure, sign up with us" article.  Nothing to back it up, no place for comments.

 

Same with Torrentfreak, whilst its a great site for info, they are bent towards all their sponsors like PIA and are simply reporting unverified info from another site.

Share this post


Link to post

 

The crucial .....d of things I remember from that era.

 

Stay safe and configure your browsers to NOT connect to any port higher than 1024. For many reasons.

How can this be done?

 

 

http://www-archive.mozilla.org/projects/netlib/PortBanning.html


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

 

 

The crucial .....d of things I remember from that era.

 

Stay safe and configure your browsers to NOT connect to any port higher than 1024. For many reasons.

How can this be done?

 

 

http://www-archive.mozilla.org/projects/netlib/PortBanning.html

 

 

Article shows how to ban specific ports by entering each port in .js files. Given what we want to ban is a whole range of ports, how would we do that?

Share this post


Link to post

The article is for educational purposes. It shows you how Firefox treats high ports as a potential security issue since at least 2001.

To block ports, you just have to open about:config, type network.security.ports.banned and enter 1024-65535.

 

For 99% of users, the web expeirience will remain the same.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

The article is for educational purposes. It shows you how Firefox treats high ports as a potential security issue since at least 2001.

To block ports, you just have to open about:config, type network.security.ports.banned and enter 1024-65535.

 

For 99% of users, the web expeirience will remain the same.

 

network.security.ports.banned << does not exist in Firefox v42.0


You're not afraid of the dark web, are you ?

Share this post


Link to post

 

The article is for educational purposes. It shows you how Firefox treats high ports as a potential security issue since at least 2001.

To block ports, you just have to open about:config, type network.security.ports.banned and enter 1024-65535.

 

For 99% of users, the web expeirience will remain the same.

 

network.security.ports.banned << does not exist in Firefox v42.0

I think its a string.

-Right click and create a new string.

-Name it network.security.ports.banned

-Next step toss in 1024-65535.

 

If you need multiple ranges you can seperate them with commas.

eg. 1-52, 54-79, 81-442, 444-65535

Share this post


Link to post

The article is for educational purposes. It shows you how Firefox treats high ports as a potential security issue since at least 2001.

To block ports, you just have to open about:config, type network.security.ports.banned and enter 1024-65535.

 

For 99% of users, the web expeirience will remain the same.

Does it work w Chrome, Opera etc also?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...