Exit IP always "Entry IP + 1"

[Oamme 0]

I've noticed that with AirVPN, i'm always being assigned an Exit IP that is "Entry IP +1". This seems bad for anonymity and it was recently used by the FBI to deanonymize targets, as seen in this document by the FBI for the recent "PoodleCorp" arrest of two ddosing teenagers:https://www.justice.gov/usao-ndil/file/900826/downloadIf you look at page 41 and 42, you will find the following quote:

On or about June 30, 2016, I tested that VPN service observed that it supports establishing remote VPN sessions via UDP to port 443 and via TCP to port 22. I used the software to connect with servers identified as being located in the United States. Upon successful connection, the VPN service provided information about the connection, including the entry IP address and exit IP address, as well as the “Protocol” and “Port.” I repeated this process again on or about September 20, 2016, and found that each VPN server had a consistent IP address when connecting to VPN service and a corresponding IP address for connections exiting from the service, as follows:

Following this statement, a table is shown, showcasing the problem (page 42 on top).I was wondering what AirVPN's stance is on this topic and if changes are planned.

[Staff 9893]

Hello,

 

from your message it looks like separation of entry and exit-IP addresses should be a countermeasure to the cited threat model, but it isn't. Even if both IP addresses were in separate /24 subnets, the linked investigation could have been successful anyway.

 

Given the threat model you provided, the countermeasures should be different. You should assume an even less favorable scenario: such an adversary can actively wiretap, with competent authorization obtained in a short time (or even illegally: the threat model for a powerful criminal organization is probably similar) any server in any datacenter in some country (in your case, especially USA and Canada).

 

In any case, when actions in our infrastructure infringe our Terms of Service, and in particular when they infringe human rights, we reserve the right to do anything in our power to put an end to such actions and track down the infringer.

 

Kind regards

[greenclaydog 6]

Hello,

 

from your message it looks like separation of entry and exit-IP addresses should be a countermeasure to the cited threat model, but it isn't. Even if both IP addresses were in separate /24 subnets, the linked investigation could have been successful anyway.

 

Given the threat model you provided, the countermeasures should be different. You should assume an even less favorable scenario: such an adversary can actively wiretap, with competent authorization obtained in a short time (or even illegally: the threat model for a powerful criminal organization is probably similar) any server in any datacenter in some country (in your case, especially USA and Canada).

 

In any case, when actions in our infrastructure infringe our Terms of Service, and in particular when they infringe human rights, we reserve the right to do anything in our power to put an end to such actions and track down the infringer.

 

Kind regards

Just looking for clarification, is there anything stopping you from tracking down your users when they are not violating the terms of service or human rights of others? Would you track down those that have in a manner that does not expose the data of your other users?

[zhang888 1066]

You either didn't read the investigation method or the explanation.

Nobody is tracking down users, but if someone is dumb enough to use a public service, such as AirVPN,

whom exit IPs might be known to nation state adversaries, and almost anyone with a simple Google search,

which entry IPs might be discovered by a simple method of purchasing an account, or even reading the forums

and simply pinging name.airvpn.org, and then he repeatedly posts messages against that authority, from a server

within their full jurisdiction and laws, and from an ISP within their full legal reach, he is a moron and deserves to

be punished, which is exactly what happened in this case, without any help of anyone but the ISP of this criminal.

 

All they had to do is ask an ISP they already knew about, who connected to a specific IP in a specific timeframe.

Since he repeatedly did the same idiotic pattern from the same U.S. servers, it was a matter of time.

 

I suggest you to read another very similar case:

http://www.theverge.com/2013/12/18/5224130/fbi-agents-tracked-harvard-bomb-threats-across-tor

 

This one wanted to pull a bomb alert in his university, and he probably read somewhere that Tor is good,

it's anonymous and no one can track him. While it could be true, he forgot some other things such as,

if he would be the only one using Tor in the university, from his own machine during the event, he will automatically

be the prime suspect. It took a very short time until they got him as well.

But you cannot blame Tor here, and it's actually a good thing that 80% of criminals doing the same 20% common mistakes.

[greenclaydog 6]

You either didn't read the investigation method or the explanation.

Nobody is tracking down users, but if someone is dumb enough to use a public service, such as AirVPN,

whom exit IPs might be known to nation state adversaries, and almost anyone with a simple Google search,

which entry IPs might be discovered by a simple method of purchasing an account, or even reading the forums

and simplt pinging name.airvpn.org, and then he repeatedly posts messages against that authority, from a server

within their full jurisdiction and laws, and from an ISP within their full legal reach, he is a moron and deserves to

be punished, which is exactly what happened in this case, without any help of anyone but the ISP of this criminal.

 

All they had to do is ask an ISP they already knew about, who connected to a specific IP in a specific timeframe.

Since he repeatedly did the same idiotic pattern from the same U.S. servers, it was a matter of time.

 

I suggest you to read another very similar case:

http://www.theverge.com/2013/12/18/5224130/fbi-agents-tracked-harvard-bomb-threats-across-tor

 

This one wanted to pull a bomb alert in his university, and he probably read somewhere that Tor is good,

it's anonymous and no one can track him. While it could be true, he forgot some other things such as,

if he would be the only one using Tor in the university, from his own machine during the event, he will automatically

be the prime suspect. It took a very short time until they got him as well.

But you cannot blame Tor here, and it's actually a good thing that 80% of criminals doing the same 20% common mistakes.

Most such incidents occur due to user error just wanted to make sure AirVPN wasn't hiding a logging/user monitoring loophole in the fine print.