DANGER! Reachable on real IP over the external por

[Droopy 2]

Why is this the case 5 months and it starts now, nothing on this end has changed.

DANGER! Reachable on real IP over the external port ------ , tcp protocol

[Staff 9894]

Why is this the case 5 months and it starts now, nothing on this end has changed.

DANGER! Reachable on real IP over the external port ------ , tcp protocol

Hello!

That message shows clearly that our system was able to reach some service on your computer on your REAL IP address and that it received an answer from your real IP address. This might expose you to correlation attacks. First of all, please make sure that all your router ports matching the ports remotely forwarded on our system are NOT open. For example, if you have forwarded ports 12345 and 12346, check that ports 12345 and 12346 on your router are closed or stealth.

Also, can you please let us know which service you're running when you receive that warning?

Kind regards

[FPyro 2]

Hi!

I have a router with a hardware firewall included and sometimes I have to use some programs when not connected to the VPN and I need the ports to be open. I might sometimes forget closing them again when I'm connected to the VPN though... how dangerous is that exactly, what would an attacker be able to achieve?

I am using comodo firewall too and have it pretty well configured I think...shouldn't that be enough protection?

Thank you.

[Staff 9894]

Hi!

I have a router with a hardware firewall included and sometimes I have to use some programs when not connected to the VPN and I need the ports to be open. I might sometimes forget closing them again when I'm connected to the VPN though... how dangerous is that exactly, what would an attacker be able to achieve?

I am using comodo firewall too and have it pretty well configured I think...shouldn't that be enough protection?

Thank you.

Hello!

If you have set Comodo according to our tutorial, you are already protected (see the end of the post).

In general, an attacker might correlate the activities on the VPN with your activities. He/she might manage to know which services you run behind the VPN and know that those services are yours. However, such an attacker must have the ability to monitor your line, or have previous knowledge on how you use your ISP line.

A typical adversary of this kind is someone working inside your ISP, or someone inside your ISP forced to do so by some entity. Observing your connections, the attacker is no more able to discover anything when you're connected to the VPN. So, the attacker may discover which entry-IP is correlated to which exit-IP of our servers, send packets to all the ports of the exit-IP of the VPN server you're connected to, then do the same to all the matching ports on your ISP's IP. When it discovers that you respond on the same ports both on Air server exit-IP and on your real IP, he/she knows that the one responding to the matching VPN server ports is you. This is particularly dangerous for example if you run a web server behind the VPN: the attacker will get to know that that web server is operated by you.

It's very easy to prevent this attack. Three safe solutions:

- do not forward on your router the same ports you remotely forward on the VPN servers: you might use different ports for the services you need to run behind the VPN and for the services you need to run without VPN connection; just don't mix them up

- forbid your service to respond to any packet coming from your physical adapter (for example, bind a web server like Apache or nginx to the tun adapter only); for most p2p clients, this solution is not available in the program configuration, it will need some "hack".

- configure a robust firewall according to our tutorial

Those who don't want to secure their connection with a firewall, don't need anyway to close ALL the ports on their routers, but only those ports that they have remotely forwarded on the Air servers.

Moreover, if you have Comodo configured to prevent any VPN leak like suggested in our tutorial, the attack fails miserably, because Comodo will block anyway (independently of forwarded router ports, IP binding etc.) any outgoing packet from your service outside the tunnel, so the attacker will not receive any answer from any port on your real IP (this is another reason for which we recommend to use firewalls to prevent leaks instead of "monitor & kill" applications).

Kind regards