Jump to content
Not connected, Your IP: 18.118.208.127
raoulduke

Do Forwarded Ports make it easier to do a correlation (or other) attack or tracking?

Recommended Posts

Hello guys,

 

I just read in PIA faq that , and I quote them:

"Port Forwarding reduces privacy. For maximum privacy, please keep port forwarding disabled."

 

Does I need to worry about this when using AirVPN port fw?

 

Thank you

Share this post


Link to post

​I don't know if PIA provide anything like Air do as far as the port forwarding facilities go, I think they may be referring to the fact that you should not configure it using your router settings, at least not the same ports you forward withing the VPN itself else you can open up the possibiity of correlation attacks. Leave the forwarding withing the VPN tunnel only.

Share this post


Link to post

Separately from what has already been mentioned: in theory you could use port numbers to profile users. I think this is what they mean by "reduces privacy".

 

Let's say you use a forwarded port with something that anyone can see, like for example Bittorrent, and you don't change the port you have forwarded regularly. In that case, if someone monitors the IPs and port numbers of Bittorrent users, they could build a profile with a list of things you have downloaded or seeded. Knowing the port number and that someone is behind an Air server, in that case, is more or less equivalent to knowing the IP - it's a unique(-ish) numeric identifier.

 

The difference is that Air (unlike ISPs) is unlikely to respond to requests to reveal what port number belongs to what user, so you'll still be reasonably anonymous. You probably don't have to worry about it.

 

But if you really care about anonymity (if you are the next Edward Snowden and you have to worry about the NSA) don't make anything persistent. Set it up, do whatever you need, and tear it down.

 

 

An API call that regular users could use to modify port forwarding would be great, but I'm guessing it's not that easy to do.

Share this post


Link to post

In that case, if someone monitors the IPs and port numbers of Bittorrent users, they could build a profile with a list of things you have downloaded or seeded.

 

A list of things you have downloaded? You can't look up the user who forwarded a port on AirVPN, therefore, monitoring a certain port on all AirVPN IPs makes no real sense. The thing is, additionally you need to know where to look for the swarm; you'd need the right torrent file or the right magnet link to join it. So you are not quite right when you say with something that anyone can see, because it's restricted to the members of the swarm, and again, to join it you need the file/link.

 

Knowing the port number and that someone is behind an Air server, in that case, is more or less equivalent to knowing the IP - it's a unique(-ish) numeric identifier.

 

Unique, but not very meaningful. And it's not like knowing the IP, because when I'm a law enforcement officer and I know an ISP IP is seeding movies illegally, I can go there and find out who the customer is. You can't do that here.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

 

In that case, if someone monitors the IPs and port numbers of Bittorrent users, they could build a profile with a list of things you have downloaded or seeded.

A list of things you have downloaded? You can't look up the user who forwarded a port on AirVPN, therefore, monitoring a certain port on all AirVPN IPs makes no real sense.

You're missing the point. The point is not trying to extract specific user information from Air via legal or technical means, the point is monitoring large numbers of users all over the Internet, saving as much metadata as you can, and then data mining to find interesting correlations. "Interesting correlations" is just that, nothing that reveals a users identity, but given enough of them it would be possible (with enough work!) to puzzle together the information to build a profile of someone.

 

If you have a long-lived port forwarding, you are basically giving away something that is usable as a (somewhat) unique identifier for free - and that is something that reduces the anonymity of users, which I believe is what PIAs statement was supposed to mean.

 

Bittorrent is just an example, but I'm guessing an example that would be relevant to people here. There are already people monitoring Bittorrent swarms after all.

Share this post


Link to post

 

Knowing the port number and that someone is behind an Air server, in that case, is more or less equivalent to knowing the IP - it's a unique(-ish) numeric identifier.

 

Unique, but not very meaningful. And it's not like knowing the IP, because when I'm a law enforcement officer and I know an ISP IP is seeding movies illegally, I can go there and find out who the customer is. You can't do that here.

 

There is one little caveat. If I know the forwarded port on the AirVPN server, then the data to unmask you exists and is persistent, whereas if no such forward is configured the data to unmask you is ephemeral enough to disappear once you tear down the tunneled connection. That is to say if I observe today that you use port 1024 for forwarding, and AirVPN knows that Port 1024 is tied to your user account, and AirVPN knows you are connected to 1-3 servers right now, I can, with the help of AirVPN, unmask you with some certainty even though no logs are kept.

 

I don't believe this to be likely, but if AirVPN were compelled to produce data somehow, the data to do this exists. When no persistent port forward is set up, it doesn't (you fade into anonymity as soon as the relevant connection is closed).

Share this post


Link to post
Posted ... (edited)

You're missing the point. The point is not trying to extract specific user information from Air via legal or technical means, the point is monitoring large numbers of users all over the Internet, saving as much metadata as you can, and then data mining to find interesting correlations. "Interesting correlations" is just that, nothing that reveals a users identity, but given enough of them it would be possible (with enough work!) to puzzle together the information to build a profile of someone.

 

I'm not missing the point. What's the use of a list of things someone does if you don't know who it is? I don't get how this is a privacy issue, that's all.

Also, I'm not the only one on the BitTorrent network using a port, how can you monitor large numbers of users all over the internet, link the ones with matching ports and still be sure you are talking about the same client so you can expand this profile?

 

If I know the forwarded port on the AirVPN server, then the data to unmask you exists and is persistent, whereas if no such forward is configured the data to unmask you is ephemeral enough to disappear once you tear down the tunneled connection. That is to say if I observe today that you use port 1024 for forwarding, and AirVPN knows that Port 1024 is tied to your user account, and AirVPN knows you are connected to 1-3 servers right now, I can, with the help of AirVPN, unmask you with some certainty even though no logs are kept.

 

There is a point in your first sentence, however, how do you observe me to use a certain port? This is the root of all problems, you don't even know what ports certain people forwarded. And AirVPN won't help you here. I tried that, too, asked them who forwarded a certain port so I can ask the user to reverse the forwarding. They wrote "We can't do that".

 

Edit: Oh, and to make things more difficult, every user can forward up to 20 ports...

Edited ... by giganerd

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

If you use network lock, you should be good.

Also, since Air uses different entry and exit IP addresses, it prevents correlation attacks (I think)

Share this post


Link to post

What's the use of a list of things someone does if you don't know who it is?

 

If you have enough of those things it lets you narrow down your search and, possibly, eventually find out who someone is. Again, this is not about targeting individual users only through the port numbers they use, this is about grabbing all the data you can and trying to extract meaningful information from it later.

 

A port number that seldom changes is part of that. There will be other parts too, like timestamps, connection speed, etc. Use the same port, client, connection for something else, something that is tied to your identity and we're starting to get somewhere.

 

People are already doing this. We all know about what the three-letter agencies can do, and it's been known for a while that anti-piracy organizations do similar things too. (that article describes monitoring taking place in 2009-2011)

 

The only thing that needs to be added to this data collection that is already happening is statistical smarts and processing power, and those are not things that are hard to come by today.

 

Is this a huge risk to privacy? No. But every little bit of information we put out there only works against it.

Share this post


Link to post

But every little bit of information we put out there only works against it.

 

Then let's not connect to the internet, since every connection puts bits of information out there.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

 

What's the use of a list of things someone does if you don't know who it is?

If you have enough of those things it lets you narrow down your search and, possibly, eventually find out who someone is. Again, this is not about targeting individual users only through the port numbers they use, this is about grabbing all the data you can and trying to extract meaningful information from it later.

 

A port number that seldom changes is part of that. There will be other parts too, like timestamps, connection speed, etc. Use the same port, client, connection for something else, something that is tied to your identity and we're starting to get somewhere.

 

People are already doing this. We all know about what the three-letter agencies can do, and it's been known for a while that anti-piracy organizations do similar things too. (that article describes monitoring taking place in 2009-2011)

 

The only thing that needs to be added to this data collection that is already happening is statistical smarts and processing power, and those are not things that are hard to come by today.

 

Is this a huge risk to privacy? No. But every little bit of information we put out there only works against it.

 

I don't think there is any risk. I don't think knowing the torrenting port can be used to tie you to a profile. Sure a profile can be made based on or with that information but it would be useless and pointless for purposes of identifying the user behind it. Even if you never change the port.

 

Any data that is gathered while you torrent via AirVPN starts and ends at the VPN as far as the swarm is concerned. No information gathered from the swarm points directly to you, it points to the AirVPN server. So even if information is recorder it can not be tied to you.

 

The scenario you propose is impossible, "Use the same port, client, connection for something else, something that is tied to your identity and we're starting to get somewhere." How would this happen? We're still talking about torrenting, right?

Share this post


Link to post

Actually there are much better ways to profile Torrent users, without any port forwarding or any VPN

vulnerabilities involved, but I prefer not to expose them in order not to give ideas to copyright trolls.

 

Just think about correlations - exit IPs and user agents. Then think about content seeds and swarms.

If you are a technical researcher, this is enough hint for you to understand the concept.

 

 

Port forwarding is a theoretical issue, in which case it lies exactly in the middle, depends on your

threat model and adversary - if it's some copyright actors - with a provider like Air you will probably

be safe with or without it enabled. They will not risk 10k+ monthly paying users to serve any request.

If it's a nation state or government actor, you shouldn't really ask this question and you probably know

about ports more than it takes to ask this kind of question in the first place.

 

So OP, in your case, probably the answer is that it is pretty much safe, combined with Network Lock.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

The scenario you propose is impossible, "Use the same port, client, connection for something else, something that is tied to your identity and we're starting to get somewhere." How would this happen? We're still talking about torrenting, right?

To clarify, Bittorrent was given as an example as a source of data that could be used to build a profile. Neither the port number or the Bittorrent protocol is the whole thing, it's just something that can be linked to other data.

 

This is going in circles and nobody is going to change their opinion, so I'll leave it at that.

Share this post


Link to post

Then let's not connect to the internet, since every connection puts bits of information out there.

Or, let's weigh the pros and cons and take reasonable precautions to minimize exposure instead of trying to deal in absolutes. Privacy online is a continuum between isolating yourself in a Faraday cage and broadcasting everything to the world, it's up to ourselves to decide where on it we want to be.

 

 

So OP, in your case, probably the answer is that it is pretty much safe, combined with Network Lock.

I think we can all agree that will be just fine for almost all Air users reading this thread.

Share this post


Link to post

Or, let's weigh the pros and cons and take reasonable precautions to minimize exposure instead of trying to deal in absolutes. Privacy online is a continuum between isolating yourself in a Faraday cage and broadcasting everything to the world, it's up to ourselves to decide where on it we want to be.

 

I rather think @giganerd knows this already! as do most of us.

Most of us also know 'every little bit of information we put out there only works against it'.

So what is it you are trying to add that is unknown to the whole community?

Share this post


Link to post

Hello !

 

Maybe you should check out this previous topic: https://airvpn.org/topic/16841-port-forwarding-safe/

 

That's what I'm thinking. I knew I had linked to it in my guide, so I went digging lol. In the security section.

 

Sent to you from me with datalove


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

One issue some people may not have taken into account. The forwarded port need not be unique. I am struggling to find the right words to explain this. So bear with a little example.

 

If you forward port 12345, that is on your side only. On AirVPNs side it can be any port. It is just port 12345 to you when air passes it to you or passes it from you. (It is stamped on the packet, but not an inflexible rule that it must be that port everywhere, or else every network would fail as soon as it has a conflict.)

 

So to you it may be 12345, but to AirVPN, it may be 60012 or 4354 or any other number. The VPN still knows to route it to 12345 for you, but it still goes via the designated port for the VPN tunnel, despite the rule you made for forwarding it to you. For instance, if you have Eddie setup to use UDP 443 to establish the connection, your 12345 content still arrives on UDP 443. Once it arrives, your side just pretends it is for 12345. This works, but no-one in between the sender and receiver has to even know about it other than AirVPN. And even that last part is debatable since the VPN encapsulates the packets in new packets, and until they are received, no system other than sender and receiver have any idea what port it belongs to.

 

So what dangers does port forwarding present? None at all more than using different ports in different applications like you already do.


Debugging is at least twice as hard as writing the program in the first place.

So if you write your code as clever as you can possibly make it, then by definition you are not smart enough to debug it.

Share this post


Link to post

Thanks, LZ1, 'preciate the reference It looks like getting a good understanding of the issue, at least as regards torrenting, would require someone with specific detailed technical knowledge of both the torrenting protocol and, in this case, the way Air handles incoming and outgoing torrent data. It would be great if someone on Staff could clarify, but I understand there may be reasons why they would not want to be too specific on this. It seems like the best mitigation is to change your forwarded ports frequently. It also seems like it's probably not a big threat vector, but it would be nice to hear from someone who has that depth of technical knowledge to verify that's it's minimal. Also if someone cared to explain the relevant parts of the torrent protocol and incoming/outgoing ip address aspect that would be an interesting read. Cheers

Share this post


Link to post

One issue some people may not have taken into account. The forwarded port need not be unique. I am struggling to find the right words to explain this. So bear with a little example.

 

If you forward port 12345, that is on your side only. On AirVPNs side it can be any port. It is just port 12345 to you when air passes it to you or passes it from you. (It is stamped on the packet, but not an inflexible rule that it must be that port everywhere, or else every network would fail as soon as it has a conflict.)

 

 

Hello!

 

In general that's correct, but remapping ports will make torrent clients unreachable because they announce to trackers and DHT their internal settings configured port (of course) while the VPN server will listen to a different port. So, in this particular case, remotely forwarded port and local port must have the same number.

 

For people running a torrent client behind the VPN, a good solution against various menaces inferred in this thread would be changing the listening port at each session. It takes a few seconds in the account control panel in our web site, and no "ports history" is ever recorded. Obviously if your threat model involves only private copyright trolls and similarly deranged persons, that would be not even be necessary.

 

Kind regards

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...