Jump to content


Photo
- - - - -

IP leak affecting VPN providers with port forwarding


  • Please log in to reply
27 replies to this topic

#1 hugomueller

hugomueller

    Advanced Member

  • Members
  • PipPipPip
  • 130 posts

Posted 26 November 2015 - 09:53 PM

https://www.perfect-privacy.com/blog/2015/11/26/ip-leak-vulnerability-affecting-vpn-providers-with-port-forwarding/

 

 

We have tested this with nine prominent VPN providers that offer port forwarding.

 

 

Was AirVPN one of the tested services? Is AirVPN affected to this issue?



#2 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7796 posts

Posted 26 November 2015 - 10:08 PM

https://www.perfect-privacy.com/blog/2015/11/26/ip-leak-vulnerability-affecting-vpn-providers-with-port-forwarding/

 

 


We have tested this with nine prominent VPN providers that offer port forwarding.

 

 

Was AirVPN one of the tested services? Is AirVPN affected to this issue?

 

Hello!

 

It's a correlation attack through some social engineering support. A solution is having separate entry and exit-IP addresses on each VPN server, just like in AirVPN.

 

The astounding information in the article, if true, is that nine [five, fixed by pj] providers have not taken care of that. The attack in itself is very trivial and is quite common knowledge in consumers' VPN industry. Perhaps the five providers cited in the article are not "VPN industry", but amateurish services?

 

Kind regards



#3 randomairuser

randomairuser

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 26 November 2015 - 10:45 PM

Where did you get the idea of "nine providers have not taken care of that" when the article says that "We have tested this with nine prominent VPN providers"..." Five of those were vulnerable to the attack and have been notified".

 

PIA, as mentioned in the TorrentFreak article (and would be your biggest competitor) took care of it and offered a $5000 bounty, would you guys also do the same?



#4 pj

pj

    AirVPN Team

  • Staff
  • PipPipPip
  • 64 posts

Posted 26 November 2015 - 10:50 PM

Hi,

 

I am an original founder of AirVPN and I am aware of this "problem" since about 2002 when I started using OpenVPN. I don't understand "so much ado about nothing". It's not even a vulnerability, it's simply how the Internet works.

 

Articles like this one http://0x27.me/2015/11/26/Practical-Exploitation-of-Portfail.html could have been nice like thirteen or fourteen years ago, but now...?

 

Maybe it's just a a sad picture of how unprofessional nowadays VPN services have become, or maybe it's only that IT culture and knowledge have still a long way to go. To a techie eye, these articles are very detrimental for consumers' VPN services. They could cast a shadow of lack of professionalism on the whole industry. AirVPN personnel competence standards have always been and will always be at a (much) higher level than these articles might make you think.

 

Ciao!



#5 pj

pj

    AirVPN Team

  • Staff
  • PipPipPip
  • 64 posts

Posted 26 November 2015 - 10:52 PM

Where did you get the idea of "nine providers have not taken care of that" when the article says that "We have tested this with nine prominent VPN providers"..." Five of those were vulnerable to the attack and have been notified".

 

PIA, as mentioned in the TorrentFreak article (and would be your biggest competitor) took care of it and offered a $5000 bounty, would you guys also do the same?

 

 

A 5000 USD reward to be notified how the Internet works? Don't be joking. :)

 

For serious vulnerabilities unknown to us then yes, we could invest that amount of money. The "perfect, invulnerable system" does not exist, that's it. About PIA... well it's a giant in size if compared to AirVPN, and this makes this whole affair very odd, to say the least.



#6 randomairuser

randomairuser

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 26 November 2015 - 11:05 PM

and this makes this whole affair very odd, to say the least.

 

That is something I can agree with. It was well published at the time of Snowden leaks that the NSA would take advantages of exploits and use them to their advantage. This attack however seems too specific to really be done on a "mass scale" of sorts but could be used to target an individual if there was a need.

 

I still say people should be more concerned at the WebRTC leaks and other such technology which is always wanting to bypass any security you have in place. It's a dangerous game of cat and mouse and only your own knowledge and expertise can save you from any such attack. 



#7 voltron

voltron

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 26 November 2015 - 11:26 PM

kudos to PerfectP, they said the Emperor is nude. PIA seems more and more a bell and whistles service for gullible ppl. Remember HMA too! if this incident does not open your eyes then nothing can. Air is spartan and Spartans are tough and know what they do



#8 zhang888

zhang888

    Donald Trump of IT/Security

  • Moderators
  • 2219 posts

Posted 27 November 2015 - 12:54 AM

The crucial part here is knowing which VPN server your victim is connected to, and the page where the victim has

to visit in order to "leak" his IP.

 

So in case of AirVPN, which is a mid-small sized provider, the attacker will have to buy 40 accounts. 40x3 connections

to be able to "cover" all AirVPN's ~100 exit servers.

 

PIA boasts to have 3k servers so in that case making the attack feasible will require even more effort.

 

There are much simpler attack vectors to unmask VPN users with fail-open OpenVPN connections.

An old classic one is to initiate a DDoS attack on your victim VPN address, let's say even when you are on IRC,

where poorly configured VPN users will timeout their VPN connection and will re-connect to the IRC server with their

own address. pj said something about 2002 this is exactly the kind of things I remember from that era.

 

Stay safe and configure your browsers to NOT connect to any port higher than 1024. For many reasons.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.


#9 tuttifrutti

tuttifrutti

    Member

  • Members
  • PipPip
  • 22 posts

Posted 27 November 2015 - 06:04 AM

Seems like there was a post on Reddit about PIA's patch not working which also mentioned AirVPN having failed in the test for this vulnerability. Reddit post has been removed but poster has re-posted the claim in PIA's forums. Link below:

 

 

https://www.privateinternetaccess.com/forum/discussion/19289/pia-still-vulnerable-to-port-fail-leak#latest

 

Tested about 80 servers and they are all still leaking!

Sounds like PIA didn’t actually test there patch! 

IPVANISH failed too.

AirVPN Failed

TorGuard passed.. 



#10 EdensSpire

EdensSpire

    Advanced Member

  • Members
  • PipPipPip
  • 459 posts

Posted 27 November 2015 - 07:19 AM

Seems like there was a post on Reddit about PIA's patch not working which also mentioned AirVPN having failed in the test for this vulnerability. Reddit post has been removed but poster has re-posted the claim in PIA's forums. Link below:

 

 

https://www.privateinternetaccess.com/forum/discussion/19289/pia-still-vulnerable-to-port-fail-leak#latest

 

Tested about 80 servers and they are all still leaking!

Sounds like PIA didn’t actually test there patch! 

IPVANISH failed too.

AirVPN Failed

TorGuard passed.. 

 

Now what doesn't add up for AirVPN to actually FAIL is this, on the https://www.perfect-privacy.com/blog/2015/11/26/ip-leak-vulnerability-affecting-vpn-providers-with-port-forwarding/ page there is this:

Mitigation

Affected VPN providers should implement one of the following:

  • Have multiple IP addresses, allow incoming connections to ip1, exit connections through ip2-ipx, have portforwardings on ip2-ipx
  • On Client connect set server side firewall rule to block access from Client real ip to portforwardings that are not his own.

and AirVPN has BOTH, the entry address used is different from the exit address. In any way even if that method was to fail, the network lock blocks any sort of connection on every port to your real IP except those of AirVPN which the hacker cannot get their hands on which means their attempt would fail



#11 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7796 posts

Posted 27 November 2015 - 09:24 AM

So in case of AirVPN, which is a mid-small sized provider, the attacker will have to buy 40 accounts. 40x3 connections
to be able to "cover" all AirVPN's ~100 exit servers.


Hello,

as you very well know, anyway the "attack" would fail on AirVPN, because clients connect to an IP address, and are reachable on a different IP address only.

Kind regards

#12 tranquivox69

tranquivox69

    Advanced Member

  • Members
  • PipPipPip
  • 58 posts

Posted 27 November 2015 - 11:24 AM

Good, I came here just to check if and how this affected us and I see that the staff had already covered it. :)

 

Just renewed my subscription for a year.



#13 BlaatAap66

BlaatAap66

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 27 November 2015 - 02:44 PM

AirVPN is not vulnerable, because the VPN server you're connecting to (with your real ip, obviously) is for example 1.2.3.4. For this, route has been set, but the ip that can be used for incoming connections is never 1.2.3.4, but will be something like 1.2.3.5. And since connections to 1.2.3.5 will just be routed via your VPN tunnel (like any other public ip), you are not vulnerable to this attack vector.



#14 johnnymac

johnnymac

    Member

  • Members
  • PipPip
  • 16 posts

Posted 27 November 2015 - 03:16 PM

https://torrentfreak.com/huge-security-flaw-can-expose-vpn-users-real-ip-adresses-151126/



#15 iamoverthere

iamoverthere

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 27 November 2015 - 04:05 PM

It was nice to find this discussion.  Thanks for explaining it. 



#16 rickjames

rickjames

    Advanced Member

  • Members
  • PipPipPip
  • 359 posts

Posted 27 November 2015 - 05:04 PM

Hi,

 

I am an original founder of AirVPN and I am aware of this "problem" since about 2002 when I started using OpenVPN. I don't understand "so much ado about nothing". It's not even a vulnerability, it's simply how the Internet works.

 

Articles like this one http://0x27.me/2015/11/26/Practical-Exploitation-of-Portfail.html could have been nice like thirteen or fourteen years ago, but now...?

 

Maybe it's just a a sad picture of how unprofessional nowadays VPN services have become, or maybe it's only that IT culture and knowledge have still a long way to go. To a techie eye, these articles are very detrimental for consumers' VPN services. They could cast a shadow of lack of professionalism on the whole industry. AirVPN personnel competence standards have always been and will always be at a (much) higher level than these articles might make you think.

 

Ciao!

 

With enough time old becomes new and new becomes old.



#17 win8

win8

    Advanced Member

  • Members2
  • PipPipPip
  • 68 posts

Posted 27 November 2015 - 07:49 PM

The crucial .....d of things I remember from that era.

 

Stay safe and configure your browsers to NOT connect to any port higher than 1024. For many reasons.

How can this be done?



#18 pwolverine

pwolverine

    Member

  • Members
  • PipPip
  • 18 posts

Posted 27 November 2015 - 08:45 PM

It looks to me like simple marketing.  It basically is a "don't use any other VPN they are not secure, sign up with us" article.  Nothing to back it up, no place for comments.

 

Same with Torrentfreak, whilst its a great site for info, they are bent towards all their sponsors like PIA and are simply reporting unverified info from another site.



#19 zhang888

zhang888

    Donald Trump of IT/Security

  • Moderators
  • 2219 posts

Posted 27 November 2015 - 08:52 PM

The crucial .....d of things I remember from that era.

 

Stay safe and configure your browsers to NOT connect to any port higher than 1024. For many reasons.

How can this be done?

 

 

http://www-archive.mozilla.org/projects/netlib/PortBanning.html


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.


#20 jameskatt

jameskatt

    Member

  • Members
  • PipPip
  • 10 posts

Posted 27 November 2015 - 10:15 PM

I'm glad AirVPN is run by professionals.







Similar Topics Collapse

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 14604 - BW: 54900 Mbit/sYour IP: 54.197.24.206Guest Access.