Jump to content
Not connected, Your IP: 3.236.218.88
jurepays

Under attack - questions to verify AirVPN logfiles and wires

Recommended Posts

Hello, I have been under attack for more than a year now and learned a few basic things the hard way.

I have a few basic questions. I always use airvpn but as I am exposed to some MITM-attacks I was wondering how I can make sure that my airvpn is functioning correct.

 

1. Basically I noticed a difference in the wires today. Is that normal?

In file airvpn1.. I only have encrypted packets all the time.

In file airvpn2.. there are a lot of Version Negotiation in between.

 

What does that mean?

 

2. As a newbie, not so firm with logfile analysis, I was also wondering if my logs are ok.

 

At the beginning when I turned on the machine (without internet) I first started wireshark and afterwards airvpn. There were a lot of ICMP packets sent. Are they from airvpn? If so, how do I control them? By reducing the number of servers I want to connect to?

see: file airvpn3...

 

These ICMP messages/packets also showed up in the logs of airvpn because I usually do not store the password. So, are these airvpn requests to see which server is there?

 

for my logs see file: Eddie...

 

3. Are logs ok - Part II

 

Would it be possible to have an integrity check for logs. If it is a "normal" log entry then a green dot or point is at the beginning of the line and if not a red one. Just very simple. If it is neither positiv nor negativ than an orange one could be displayed. I know that there are already visual signs in front of the logs. But as you can see in file: airvpn4... some entries are just question marks for somebody who is new to this field and does not have all the experience/knowledge you all have. To have the system be improved the users could opt for sending the red entries to a special forum where the real professionals could have look and determine how to improve the system and discuss the issues on a much higher level. The servers are communicating anyway and like this important information is automatically passed on to the ones who really understand it. And if you do not want, you just do not click the checkbox: "Send critical logs to AirVPN Forum for improvement"

 

Just an idea.

 

I just wanted to thank you for this service and really appreciate your work.

 

sam

Eddie_20170525_235705.txt

Share this post


Link to post

Err..

 

Hello, I have been under attack for more than a year now

 

What?

 

Wireshark's QUIC protocol identification is indeed OpenVPN. Maybe because it's similar to it, or maybe OpenVPN uses it, I don't know.

And I recognize some of the IPs in screen 3 as AirVPN servers, it's indeed Eddie pinging the servers.

 

I think I already asked indirectly.. but how, how in the name of your favourite god did you come to the conclusion that you're under attack? If you were, OpenVPN would scream..

 

Would it be possible to have an integrity check for logs. If it is a "normal" log entry then a green dot or point is at the beginning of the line and if not a red one. Just very simple. If it is neither positiv nor negativ than an orange one could be displayed. I know that there are already visual signs in front of the logs. But as you can see in file: airvpn4... some entries are just question marks for somebody who is new to this field and does not have all the experience/knowledge you all have. To have the system be improved the users could opt for sending the red entries to a special forum where the real professionals could have look and determine how to improve the system and discuss the issues on a much higher level. The servers are communicating anyway and like this important information is automatically passed on to the ones who really understand it. And if you do not want, you just do not click the checkbox: "Send critical logs to AirVPN Forum for improvement"

 

You're adorable. No offense, really! But a logfile is a stupid text file, so no colors.
In Eddie, the first letter classifies the log entry. Dots are lines printed by OpenVPN. I is info. ! is important info, maybe events/milestones, too. W would be warnings. E would be errors. Based on this, I could filter the lines based on the first letter, maybe include a few lines before and after to have a context and let it show me. Easier troubleshooting.

Next: Being attacked is such a rare occasion, in my (soon) four years of roaming these forums it never got posted publically. I've yet to come over a thread with a serious attack situation.

Next²: About sending those logs somewhere, in a semi-automated fashion.. where to? Who would you classify as a "real professional"? I've seen regular users getting elevated to moderators here. So your best bet to reach such a "professional" is to simply open up threads like this one, ask for help with your setup and wait for them pros to awake from their beauty rest. We're trying to be an open community, having "special forums for pros only" is a victory for two-class schemes and, by extent, a defeat for net neutrality principles.

 

You're also referring to a fourth screenshot, it seems to be missing. Otherwise, your logs are totally green.


» I am not an AirVPN team member. All opinions are my own and are not official. Refer to Staff postings for the official word.

» These are the community forums, not the support portal. You're writing with other users here.

» New here? LZ1's New User Guide to AirVPN. Use the search function, Luke!

» Tor exits behind a VPN connection are discouraged. Using Tor on the other hand is not.

 

» Privacy is like alcohol: Drink a little and it can help you stay unnoticed. Drink a lot and everyone will notice you.

» I cannot give you the solution to all your issues. But I can guide you to it. The rest is up to you.

Share this post


Link to post

Hi, 

thank you for your answer.
I hope you are right and it is just paranoia.
 
Concerning the 4th attachment in your answer, it is underneath the 3 images (airvpn logs).
 
Yesterday and today I seem to have (at the minimum) encountered some weird stuff which cannot be explained (logically) by the Wireshark forum or the airvpn forum.
But before stating that I am "under attack" I hope that somebody can help me with a logical explanation concerning these issues.
 
I receive quite a lot of malformed packets (constantly) even though it should not be like that. And at the beginning when I connect to airvpn they are not there (wire sharks are available).
Further more yesterday I tried various times to connect to the airvpn servers but it just tried and tried to connect. It took about an hour until I had a connection (see some excerpts of logs of Eddie and of airvpn interface where the connection attempts are listed).
 
Thank you for your help.
 
 

 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...