Correlation attacks

[dcarrera 0]

Hello,

 

AirVPN tries to protect its users against correlation attacks by having two IPs in each server: one entry-IP, one exit-IP. But here is my question: Since presumably those IPs are public, and easy to figure out, any adversary could link the two IPs and do the correlation attack as usual.

 

Have I missed something?

 

I guess you could argue that having two IPs protects you against broad undirected surveillance, but is not meant to protect against a targeted attack. Would the AirVPN staff agree with that? Have I missed something?

[iwih2gk 92]

No one hop VPN is going to protect you fully if a powerful adversary is doing correlation attacks to find you.  I would do a search here regarding a "partition of trust" and how AirVpn Mgmt has recommended it for those with strong privacy needs.  e.g. using TOR over AirVpn would be a great starting point.  Search for partition of trust and see if it makes sense.  I do understand your original post in this thread, but I wanted to answer beyond the basics.  AirVpn (any good one hop VPN) may be all most will ever need.  Marketing companies trying to snoop your activities, etc... are stopped by Air with ease.  A correlation attack is when a "power" far beyond that scope is trying to locate YOU  (my definition anyway).

[dcarrera 0]

Thanks!

 

That's helpful information. It's good to have a clear picture of what a VPN can and cannot do, and that TOR + VPN is an option for people who need more.

 

On a personal level, I am happy with just a VPN. I am not trying to fight off a targeted attack. I dislike the kind of mass surveillance that happens in most developed countries (maybe most countries), and I'm thinking about net neutrality. I think that if everyone used VPNs, ISPs would not be able to throttle services, and governments would have to focus their efforts on people who are actually suspicious instead of just saving every conversation that everyone has by default.

[serenacat 83]

Similar motivation and use-case to @dcarrera, but expect infosec is a much more serious issue for Air clients in places like China, Egypt, Turkey, etc; and journalists/bloggers/political parties/etc dealing with government corruption leaks etc nearly everywhere; and others in a very imperfect world (ad nauseum, eg ex-partners of bitter secret/security police).

One thing I notice is that if I am doing some bittorrenting, including seeding, there is a very large "spray"/"fog" of highly variable traffic to many different trackers, peers, distributed hash table and peer exchange functions. So this would obscure sensitive connections subject to correlation attacks. And using an Air server with many torrent clients running (guesswork) multiplies the "noise level".

[Staff 9748]

Hello,

 

AirVPN tries to protect its users against correlation attacks by having two IPs in each server: one entry-IP, one exit-IP. But here is my question: Since presumably those IPs are public, and easy to figure out, any adversary could link the two IPs and do the correlation attack as usual.

 

Have I missed something?

 

Hello!

 

Yes, the attacks you talk about, usually based on timing attacks in low latency networks, are not meant to be prevented by separate entry and exit-IP addresses.

 

The correlation attacks which are prevented by separate entry and exit-IP addresses are different. When two nodes of a same VPN connect to each other via a public address which is also the VPN gateway public address they will start exchanging data in clear text outside the tunnel (this is quite obvious, check your routing table to understand exactly why).

 

When that IP address is shared between the nodes connected to the VPN server, this opens up the way to a wide variety of correlation attacks to discover the real IP addresses of the nodes connected to a VPN server. The adversary does not need to control or wiretap all the relevant network segments, it just needs to enter the VPN as a normal user, forward ports remotely and study the proper way to start the attack on the target or targets (the attacker will need to convince the target or targets to connect to any of the services he/she controls behind the VPN).

 

This is not an OpenVPN (or other VPN software) vulnerability, it's just how routing works.

 

Incredibly, even nowadays you can find VPN services around the world which do not take care of all the above and, even more incredibly, famous "VPN reviews" sites do not even talk about this issue.

 

Kind regards

[kebi 2]

 

 

When two nodes of a same VPN connect to each other via a public address which is also the VPN gateway public address they will start exchanging data in clear text outside the tunnel (this is quite obvious, check your routing table to understand exactly why).

 

When that IP address is shared between the nodes connected to the VPN server, this opens up the way to a wide variety of correlation attacks to discover the real IP addresses of the nodes connected to a VPN server. The adversary does not need to control or wiretap all the relevant network segments, it just needs to enter the VPN as a normal user, forward ports remotely and study the proper way to start the attack on the target or targets (the attacker will need to convince the target or targets to connect to any of the services he/she controls behind the VPN).

 

 

Hello, i think you bring up a very important point, but could you please elaborate a bit?

My question is, if my VPN provider (PIA at the moment, but i am looking at AirVPN to shift when this subscription expires next week) has a server that i connect to, which has a different entry IP and a different exit IP, are you saying that with this setup, someone sitting at the datacenter where the server is, cant see in plain text what entry ip is giving out what exit ip?

So i am using PIA. Some countries have a different entry and exit ip when you connect to them. For example Singapore, India, Netherlands. these all have different entry and exit ip's, and somehow i just feel more comfortable connecting there. Other server locations in the EU, a lot of whome are provided to PIA by M247, just have the 1 ip which is what all websites see and what you also see, meaning entry and exit is the same ip.

 

Can you please explain, WHY a different entry and exit IP is safer, and also what potential tracking this prevents or makes harder to do?

[Staff 9748]

Can you please explain, WHY a different entry and exit IP is safer, and also what potential tracking this prevents or makes harder to do?

 

Hello!

 

Any packet received (through a remotely forwarded port) from the IP address that is also the public entry IP address of the VPN server will be replied to that same IP address from your "real" public IP address. When public entry and exit-IP addresses match (i.e it's only one address) an attacker can simply enter the same VPN and send packets to all the forwarded ports (finding the forwarded ports is of course a "two-seconds" task) and receive replies from the real IP addresses of every and each VPN node.

 

When entry and exit-IP addresses are different, the above can't happen, since listening services can't receive unsolicited packets from anywhere with entry-IP address as origin.

 

Therefore, the PIA configuration you mention is wrong and dangerous when remote port forwarding is available and at least two nodes can connect to the same VPN. If only one node can connect, then it's unsafe for different reasons (weak anonymity layer).

 

Therefore, avoid VPNs which do not provide this basic security configuration (lacking this setup is also a worrying symptom suggesting that they lack proper networking knowledge). If that's not possible, at least avoid remote port forwarding completely when entry and exit-IP addresses are the same, and make sure that you're not the only one connecting to that virtual network.

 

Kind regards

[kebi 2]

. When public entry and exit-IP addresses match (i.e it's only one address) an attacker can simply enter the same VPN and send packets to all the forwarded ports (finding the forwarded ports is of course a "two-seconds" task) and receive replies from the real IP addresses of every and each VPN node.

 

When entry and exit-IP addresses are different, the above can't happen, since listening services can't receive unsolicited packets from anywhere with entry-IP address as origin.

Hello again, i really appreciate and value the learning opportunity.

So, i just looked, and out of the 33 countries where PIA has servers, 9 have port-forwarding enabled and out of those 9 countries, none have a different entry and exit ip! So, as you pointed out, this is just how routing works, and to mitigate this you have to disable port forwarding at those servers which dont have a different gateway+exit ip, which PIA has not done. In order for the attack to take place, at the locations that allow port forwarding, the attacker basically has to join the server as a user, and somehow by social engineering or otherwise, get the target (which he does or doesnt know at this point) to connect to a service that the attacker has enabled on an external server, and then when the target does connect, he sees a unique ip:port combo and so can unmask the user because in the server the nodes are communicating in the clear.(even though the client to server connection is encrypted to the targets ISP) Something like that, lol.

This may be a little off-topic, but i have been using PIA for more than a couple of years and i really used to enjoy connecting to Romania and Switzerland last year, as Voxility was the provider in Romania and Private Layer Inc was in Switzerland which i loved. If i remember correctly, PIA decided to implement a different entry and exit IP on a few of the countries, and i guess people complained that it confused them a lot, and so they rolled back.

What has ended up happening is M247 is now in most of the contry locations as the transit provider for PIA.

And, there is even an article about how "M247 Ltd is the most used internet egress point used by VPN providers like PIA all over Europe."

And the author is simply pointing out, that M247 is being used by AirVPn, NordVPN, and PIA and also Mullvad among a host of other superb no-logs VPN providers, which i find fascinating. Its quite the amount of pressure on M247 in terms of nation state scrutiny but i suppose being incorporated in Romania really helps!

Do you have any thoughts on your feelings on having m247 so ubiquitous as a transit traffic provider? I mean i do get great speeds, but at the back of my mind, i am seeing country after country with PIA being serviced by m247. Not that speed is bad, its not.

[Staff 9748]

the attacker basically has to join the server as a user, and somehow by social engineering or otherwise,

 

Social engineering is not required. The attacker just needs to find the forwarded ports. A very quick and easy one-minute job.

 

Do you have any thoughts on your feelings on having m247 so ubiquitous as a transit traffic provider? I mean i do get great speeds, but at the back of my mind, i am seeing country after country with PIA being serviced by m247. Not that speed is bad, its not.

 

M247 offers a service which meets and has always met all of our technical requirements at a fair price. It's really something because as you know we are quite demanding. However, we do not want to stay bound with a single provider (simply for failover and redundancy considerations, it has notbhing to do with M247 quality of service), that's why we will not exceed around 25% of our infrastructure with M247.

 

Kind regards