Jump to content
Not connected, Your IP: 54.92.135.47
l33t

Torrent IP Address Leak

Recommended Posts

I read something online that I found would be quite disturbing if it were true:

"The attack is actually worse than that: apparently in some cases uTorrent, BitSpirit, and libTorrent simply write your IP address directly into the information they send to the tracker and/or to other peers"

from this website: https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea

Now, my question is, even if this were true, would uTorrent send the AirVPN IP Address, or would it send our real IP Address? Because if uTorrent sends our real IP Address, the whole point of using a VPN would be undermined.

Share this post


Link to post

I read something online that I found would be quite disturbing if it were true:

"The attack is actually worse than that: apparently in some cases uTorrent, BitSpirit, and libTorrent simply write your IP address directly into the information they send to the tracker and/or to other peers"

from this website: https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea

Now, my question is, even if this were true, would uTorrent send the AirVPN IP Address, or would it send our real IP Address? Because if uTorrent sends our real IP Address, the whole point of using a VPN would be undermined.

Hello!

Of course, in this case there's nothing to be worried about when using OpenVPN. We provide VPN services, not a proxy service or a junk PPTP VPN service. OpenVPN is also immune to the infamous PPTP IPv6 vulnerability discovered some time ago with torrent clients.

If you read carefully the beautiful article you linked, you'll see why uTorrent, Vuze or any other torrent client can't stamp your real IP address on the packets sent to other peers and trackers (unless they run with root privileges and act like a malware, of course, or you, as root, deliberately bind them to your physical card, but that's another story completely). Keep in mind that OpenVPN uses a TUN/TAP network card, that our servers push routes accordingly and that our system NEVER forwards a port that you did not explicitly instructed it to do.

It's important to note that the article hints also to some potential correlation attacks that we decided to take into consideration a long time ago. That's one of the reasons for which in Air servers, contrarily to what happens on any other VPN as far as we know, you have separate entry and exit-IP addresses, and for which we repeatedly recommended that you never forward on your routers the same ports used by your applications when you're connected to the VPN.

Kind regards

Share this post


Link to post

I must admit I still cannot find in the article why torrent clients would not be able to stamp a person's real IP address onto packets. I didn't think a program needed Adminstrator/root access to see what someone's IP address was?

Share this post


Link to post

I must admit I still cannot find in the article why torrent clients would not be able to stamp a person's real IP address onto packets. I didn't think a program needed Adminstrator/root access to see what someone's IP address was?

Hello!

The main reason is that our servers (and any other OpenVPN server, if properly configured) rewrite the packets header before sending them out. The real-IP address of the client is nowhere in the packet. The peers and the tracker (if any) will see the VPN server exit-IP address. Please note that one of the problems underlined in the linked article refers to the fact that torrent clients ignore, when they wish, proxy configuration (therefore TOR proxy too). A proxy is completely different from OpenVPN: it does not modify the kernel routing table, it does not use a separate network card, it does not let you enter a virtual private network.

A more serious problem is whether an application can bypass the routing table and send out packets from your physical interface, therefore exposing the real IP address even with OpenVPN client connected and running properly. In order to do that, applications must run with root/administrator privileges or be specifically configured by root to bind to the physical interface. Every computer user should be well aware of any application which can run with root/administrator privileges: as you know, a VPN does not secure your computer and should not be meant as an antimalware tool.

ANYWAY, a firewall that is configured to secure the connection against leaks in case of unexpected VPN disconnection will also prevent such applications to leak data. This is another reason for which we recommend to set firewall rules in order to secure the connection and not to rely on programs which "kill" the connection or a list of applications if they detect a VPN disconnection. These kind of programs can give a totally false sense of security.

=======

Some digressions:

An even more serious problem is caused by malignant software (spyware) which reads all kind of data (the list of your network cards, the files you have on the HDD, screenshots of your monitor...) and send out those data to a remote server, via a browser or a program which is not blocked by the firewall, for future human analysis. Such malware does exist and it is used to steal data of any kind or disclose the identity of someone suspected of serious crimes by competent authorities. It is also used by human rights hostile countries to monitor "suspect" people. The first defense against these threats is renouncing to use Windows and Mac. If a person in hostile environments is compelled to use Windows, for lack of knowledge for example, it is highly recommended that he/she uses a series of precautions that are viable with a relatively low degree of information:

- use Comodo with Defense+ set to "Paranoid Mode"

- encrypt the whole HDD and keep the computer OFF when it is unattended. This will prevent spyware injection from strangers even if they boot from an external device (USB, CD, DVD). TrueCrypt allows to encrypt entire volumes (including boot partition) easily

- keep sensitive data in Linux or *BSD Virtual Machines with encrypted virtual HDD. VirtualBox enables to create Virtual Machines even to "not skilled" people.

-when access to data is necessary, their decryption is performed only in a safe environment: in a VM with carefully monitored connections, plain text displayed with anti-Tempest fonts and on low emissions monitors in order to prevent Tempest attacks, no network connection until necessary, data first heavily encrypted (gpg, AES-256, AES over TwoFish or Serpent with 768-bit keys size, etc.) then sent out via a VPN (exclusively based on OpenVPN or IPsec, never PPTP) over TOR, or TOR over a VPN, or any other chaining which allows partition of trust

- if a browser has to be used, no scripts must be allowed to run (no javascript, no Flash, no Java, no plugins). Aurora in the TOR browser bundle does that by default

The potential Windows victim should also use common-sense precautions, for example never insert on a Windows system an unknown USB key. A very old and common method for a first-stage attack: the attacker leaves an attractive 32/64 GB USB key (20 years ago it was done with floppy disks, although a ZDNet journalist writes as if she never heard about it before) where she is sure the victim will find it and hopefully will insert it in his/her or company's computer. If the computer's victim has AutoRun enabled and Defense+ not set in "Paranoid Mode", the first stage attack is successful. Foreseeing that the victim might have AutoRun disabled (in line with Windows total-insecurity-style, the AutoRun is on by default) or some program like Defense+ blocking it, the attacker also stores a lot of fascinating "infected" files in the key (from porn movies to attractive applications, from Flash programs to Java applets) in the hope that the victim will not resist to the temptation to run one of them.

Some non-technical readings:

http://www.zdnet.com/criminals-push-malware-by-losing-usb-sticks-in-parking-lots-7000000729/

http://en.wikipedia.org/wiki/Tempest_attack

http://blogs.computerworld.com/security/20816/gauss-malware-nation-state-cyber-espionage-banking-trojan-related-flame-stuxnet

Enough for the digressions... :D

Kind regards

Share this post


Link to post

Wow, thanks for all of the information! I really appreciate that you guys are willing to sit down and write such a long and informative article for support.

Share this post


Link to post

Hello!

There's been some problem with the editing of the original message.

Here it is:

I must admit I still cannot find in the article why torrent clients would not be able to stamp a person's real IP address onto packets. I didn't think a program needed Adminstrator/root access to see what someone's IP address was?

Hello!

The main reason is that our servers (and any other OpenVPN server, if properly configured) rewrite the packets header before sending them out. The real-IP address of the client is nowhere in the packet. The peers and the tracker (if any) will see the VPN server exit-IP address. Please note that one of the problems underlined in the linked article refers to the fact that torrent clients ignore, when they wish, proxy configuration (therefore TOR proxy too). A proxy is completely different from OpenVPN: it does not modify the kernel routing table, it does not use a separate network card, it does not let you enter a virtual private network. So the first issue underlined in the linked article is irrelevant for OpenVPN.

The second issue underlined in the article regards the alleged "announce" to other peers of the IP address seen by the torrent client. In this case the IP address is inside the packets. If a proxy is used, the torrent client will read the real IP address of the user. With OpenVPN, it will read the VPN IP address. So, even the second issue is not a problem for OpenVPN.

Some torrent clients (for example rtorrent) allow to set the IP address to be "announced" to the DHT. Of course if you type in the field your real IP address, OpenVPN can't protect you. However, it remains to be seen how this data can be a "proof" if gathered by some copyright troll/clown. What if users put in that field the RIAA IP addresses? This problem, as well as many others, have been thoroughly investigated by the University of Washington, in the amazing paper "Tracking the Trackers: Why My Printer Received A DMCA Takedown Notice". It is a huge problem for deranged copyright fundamentalists and similar dregs, because a technically aware (and not corrupted) court will immediately see that those data are not a proof and not even a hint, because they can be fabricated by anyone and under all the cases described in the paper. Of course nowadays there are less, but much more expensive and therefore not viable for most copyright clowns, rudimentary p2p swarm monitoring techniques.

The third issue ("the second attack" according to the TOR project article) refers to a type of correlation attack which is impossible on our VPN, for the above considerations. But there are more elaborated correlation attack techniques that the article fails to explain. These techniques cannot be successful because AirVPN servers, contrarily to all the other VPNs, as far as we know, have different entry-IP and exit-IP addresses. It's important, however, that you don't forward on your router the same ports used by your services, in order to prevent correlation attacks EVEN to an adversary who has the ability to monitor your line.

The fourth issue ("the third attack") underlined in the article is irrelevant for OpenVPN, it refers to a TOR "vulnerability" when a torrent client and a browser, both over TOR, are used simultaneously. This issue does not affect OpenVPN (for trivial reasons) or OpenVPN over TOR (simply because the TOR exit node sees encrypted by OpenVPN traffic and does not know anything about ports, protocols, contents, real origin and real destinations of the packets - it just sees all the encrypted traffic to/from one of our shared entry-IP addresses, rendering impossible to build any user snapshot).

A more serious problem is whether an application can bypass the routing table and send out packets from your physical interface, therefore exposing the real IP address even with OpenVPN client connected and running properly. In order to do that, applications must run with root/administrator privileges or be specifically configured by root to bind to the physical interface. Every computer user should be well aware of any application which can run with root/administrator privileges: as you know, a VPN does not secure your computer and should not be meant as an antimalware tool.

ANYWAY, a firewall that is configured to secure the connection against leaks in case of unexpected VPN disconnection will also prevent such applications to leak data. This is another reason for which we recommend to set firewall rules in order to secure the connection and not to rely on programs which "kill" the connection or a list of applications if they detect a VPN disconnection. These kind of programs can give a totally false sense of security.

=======

Some digressions:

An even more serious problem is caused by malignant software (spyware) which reads all kind of data (the list of your network cards, the files you have on the HDD and send out those data to a remote server, via a browser or a program which is not blocked by the firewall, for future human analysis. Such malware does exist and it is used to steal data of any kind or disclose the identity of someone suspected of serious crimes by competent authorities. It is also used by human rights hostile countries to monitor "suspect" people. The first defense against these threats is renouncing to use Windows. If a person in hostile environments is compelled to use Windows, for lack of knowledge for example, it is highly recommended that he/she uses a series of precautions that are viable with a relatively low degree of information:

- use Comodo with Defense+ set to "Paranoid Mode"

- encrypt the whole HDD and keep the computer OFF when it is unattended. This will prevent spyware injection from strangers even if they boot from an external device (USB, CD, DVD). TrueCrypt allows to encrypt entire volumes (including boot partition) easily

- keep sensitive data in Linux or *BSD Virtual Machines with encrypted virtual HDD. VirtualBox enables to create Virtual Machines even to "not skilled" people.

- when access to data is necessary, their decryption is performed only in a safe environment: in a VM with carefully monitored connections, plain text displayed with anti-Tempest fonts and on low emissions monitors (or, for those who have access to it, on TEMPEST-certified equipment) in order to prevent Tempest attacks, no network connection until necessary, data first heavily encrypted (gpg, AES-256, AES over TwoFish or Serpent with 768-bit keys size, etc.) then sent out via a VPN (exclusively based on OpenVPN or IPsec, never PPTP) over TOR, or TOR over a VPN, or any other chaining which allows partition of trust

- if a browser has to be used, no scripts must be allowed to run (no javascript, no Flash, no Java, no plugins). Aurora in the TOR browser bundle does that by default

The potential Windows victim should also use common-sense precautions, for example never insert on a Windows system an unknown USB key. A very old and common method for a first-stage attack: the attacker leaves an attractive 32/64 GB USB key (20 years ago it was done with floppy disks, although a ZDNet journalist writes as if she never heard about it before) where she is sure the victim will find it and hopefully will insert it in his/her or company's computer. If the computer's victim has AutoRun enabled and Defense+ not set in "Paranoid Mode", the first stage attack is successful. Foreseeing that the victim might have AutoRun disabled (in line with Windows total-insecurity-style, the AutoRun is on by default) or some program like Defense+ blocking it, the attacker also stores a lot of fascinating "infected" files in the key (from porn movies to attractive applications, from Flash programs to Java applets) in the hope that the victim will not resist to the temptation to run one of them.

Some readings:

http://www.zdnet.com/criminals-push-malware-by-losing-usb-sticks-in-parking-lots-7000000729

http://en.wikipedia.org/wiki/Tempest_attack

http://blogs.computerworld.com/security/20816/gauss-malware-nation-state-cyber-espionage-banking-trojan-related-flame-stuxnet

The sublime paper "Tracking the Trackers":

https://dmca.cs.washington.edu

Enough for the digressions... :D

Kind regards

Share this post


Link to post

Damn, reading all that got me pretty scared. Hope it's not necessary if you are just a normal user though ?!

Share this post


Link to post

It is not clear to me that for example uTorrent will announce the OpenVPN IP to the DHT and not my real one. In the case where they is only IPv4 behind a NAT the case is clear. They have to use some kind of internet service to determine the public IP for announcement. This request will be routed via OpenVPN and we are good to go.

 

But what about IPv6? Maybe the torrent client will just scan all interfaces for a global unicast IP and uses this. There is no way to know or prevent this except for deep packet inspection.

Share this post


Link to post

Hello!

 

Unfortunately some very popular torrent clients are closed source software so we can't say for sure what they do, but in case of doubts you can disable IPv6 in your system when you connect to the VPN.

 

Kind regards

Share this post


Link to post

Hi guys, hopefully this will help

 

Torrent software running on a PC

NIC configured like so (these IP's are examples)

IP-192.168.0.20

DNS-192.168.0.1

Gateway-192.168.0.1

 

Gateway is configured with airvpn connection and all traffic is routed through vpn (all appropriate firewall settings in place also)

(It is also best practice to place 192.168.0.20 in a block all rule in the firewall of the clear-net gateway)

 

the only possible outcome here is your torrent and DHT IP is of the airvpn exit node (no other possible outcome is possible because there is no other route in existence for that PC regardless of the OS and torrent client used.

 

do it like this and you are definitely safe.

Share this post


Link to post

I am using a paketfilter firewall to block all outgoing traffic on my nic except for the airvpn ips. I am not concerned about a package getting leaked. 

 

It seems that I have to disable ipv6 on my torrent vm to be completely safe. Which is not a problem at the moment because airvpn does not support ipv6 anyways. 

Share this post


Link to post

Hello!

 

Unfortunately some very popular torrent clients are closed source software so we can't say for sure what they do, but in case of doubts you can disable IPv6 in your system when you connect to the VPN.

 

Kind regards

 

There is nothing to stop a program from trying to contact some "home base" server on each interface. The home base server can then see all of the IP addresses on which the client can access the internet. And the client can exchange information with these servers.

 

So you do indeed need to be able to trust the client programs you are using. Or understand their behavior well enough to firewall them from doing what you do not want. But then they could detect that their attempt to contact home base has failed, and refuse to work.

 

If we want to be paranoid ...

 

The Vuze project recently condemned copyright piracy:

 

https://torrentfreak.com/vuze-bittorrent-client-condemns-piracy-says-stealing-140614/

 

But I believe Vuze is still open source (or am I wrong?). But can you be sure that a precompiled version really came from that source?

 

And what is the attitude of the uTorrent people?

 

I would suggest that you use an old version of uTorrent. Version 2.2.1 has been around quite a while. And does not have the amazing collection of bugs that one finds in later versions of uTorrent. Many private torrent trackers ban any later version of uTorrent.

 

If payment processors can be pressured to not allow services such as VPN-s because they can be used to avoid copyright constraints, then I have to think that much smaller commercial operations could be influenced.

 

I think the next "quantum leap" in file sharing technology is way overdue.

Share this post


Link to post

Hi and thanks for this thread.

 

Am I to understand that anyone with Admin privileges on a Windows computer and running a torrent client from that perspective is showing their real IP address on their torrent traffic?

 

If this is so then surely an easier way to circumvent the issue would be to open a guest account on the same machine without admin rights and run the torrent client form there instead?

 

Cheers

Share this post


Link to post

...

 

Am I to understand that anyone with Admin privileges on a Windows computer and running a torrent client from that perspective is showing their real IP address on their torrent traffic?

 

...

I am confident that with the version of uTorrent I use (2.2.1) and with that client firewalled from using the real IP address, my real IP address will not be revealed.

 

The point of this thread is that it would be unwise to have blind faith in closed source clients. Or for that matter open source clients, if you are not sure that the executable has been built from source that has been carefully reviewed by someone concerned about this issue.

 

Although uTorrent 2.2.1 is closed source, I think its network activity has been well analyzed by people who are concerned about security.

 

===

 

Using an account without admin privileges is not enough. This does not bar a program from sending packets on each interface.

Share this post


Link to post

I feel confident with my setup: AirVPN client, Utorrent 2.0.4 (older version before bloat), and using Comodo to lock it down to prevent leaks.

Share this post


Link to post

I use a freebsd virtual machine for torrenting with one interface and ipv6 disabled now. The kernel level firewall prevents all traffic to the internet except the airvpn gateways. So the only way a packet can leave the vm is via airvpn. I don't trust any torrent client and I don't have to.

Share this post


Link to post

I run utorrent 1.6.1 as I like the earlier and unadulterated version of that program.

 

Nasty not knowing for sure that my torrent traffic isn't identifying me to whoever but with the different layers I have in place I wouldn't bet on that happening.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...