I would like to start a discussion on the following paper on IPv6 and DNS security issues, in particular because it explicitly mentions AirVPN as vulnerable:
"A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients"
(click on "Full Text PDF")
The paper discusses two separate attacks:
1. IPv6 Man-in-the-Middle through Router Advertisement
This has been discussed for years and there are several exploitation tools available to mount an attack yet awareness of the problem seems to be very very low. Essentially the problem is that most OSes have IPv6 enabled and prefer it over IPv4, yet almost all local networks are IPv4 only. An attacker can advertise himself as an IPv6 router, and your OS will start sending all your traffic to him because IPv6 is preferred. He only needs to be on the same local network as you are, which is the case for public WiFi etc.
There are several news items giving an easy explanation of the attack, e.g. https://www.virusbtn.com/blog/2013/08_12.xml
The attack is also known as "SLAAC Attack" as dicussed already in 2011 here:
Tools to try it out:
- SuddenSix (Linux bash script) https://github.com/Neohapsis/suddensix
- Evil FOCA (Windows, also does DNS Hijacking) https://www.elevenpaths.com/labstools/evil-foca/index.html
Also Presented at DEFCON 21: http://www.slideshare.net/chemai64/defcon-21-fear-the-evil-foca-mitm-attacks-using-ipv6
- THC-IPV6 with fake_router6 (Linux) https://www.thc.org/thc-ipv6/
Defense against the attack is very simple: Turn off IPv6 on your machines!
AirVPN can help by adding functionality to the AirVPN client to set IPv6 routing tables as well and make sure IPv6 traffic goes to the VPN interface.
2. DNS Hijacking through route injection
This more advanced attack also comes with more prerequisites, the attacker needs to control the WiFi router. Given generally poor router security this is not too much to ask though. When the attacker sees you are connecting to a VPN, he notes the VPN provider you are connecting to and creates a virtual interface on the router with the IP address of the DNS server used for the VPN. With a low DHCP lease period he forces you to renew your DHCP lease and now gives you the virtual interface as default gateway. This messes up your routing tables enough so that all your DNS requests will now go to the attacker-controlled router and not go through your VPN tunnel.
A proposed way to detect the attack would be for the AirVPN client to do repeated DNS checks for specific domains that only the AirVPN DNS servers can resolve. A way to fully mitigate the attack seems to be to have the default gateway for the VPN also be the DNS server.
If it's any consolation, of the 14 VPN providers tested, only four had clients that protected against IPv6 leaks and only one was not vulnerable to DNS hijacking.