Forgot your password?
typodupeerror
Networking Privacy Security IT

VPN Flaw Shows Users' IP Addresses 124

Posted by Soulskill
from the illusion-of-privacy dept.
AHuxley writes "A VPN flaw announced at the Telecomix Cyphernetics Assembly in Sweden allows individual users to be identified. 'The flaw is caused by a combination of IPv6, which is a new Internet protocol due to replace the current IPv4, and PPTP (point-to-point tunneling protocol)-based VPN services, which are the most widely used. ... The flaw means that the IP address of a user hiding behind a VPN can still be found, thanks to the connection broadcasting information that can be used to identify it. It's also relatively easy to find a MAC address (which identifies a particular device) and a computer's name on the network that it's on.' The Swedish anti-piracy bureau could already be gathering data using the exploit."
This discussion has been archived. No new comments can be posted.

VPN Flaw Shows Users' IP Addresses

Comments Filter:
  • it's also relatively easy to spoof an IP address or MAC address.
    • by dotgain (630123) on Monday June 21, 2010 @01:28PM (#32643336) Homepage Journal
      And it's just as sensible as spoofing your home address when ordering pizza that you ultimately want to eat.
      • by Sir_Lewk (967686)

        That applies for spoofing your IP address, but not for spoofing your MAC address.

        • by dotgain (630123)
          Fair enough. As my laptop and WiFi capable phone go from place to place, my (unspoofed) MAC address gets pissed all over the place. Much like the licence plate on my car does. This doesn't really bother me.
    • Re: (Score:3, Informative)

      by Rijnzael (1294596)
      MAC address sure, since your device's MAC address isn't used after your packets reach the ISP's border. However, I invite you to try to establish a full duplex connection using a spoofed IP. Sure, you can send packets using a spoofed IP provided your ISP allows you to send packets for IP's which they don't announce, but you're not getting the response to that packet back. This is actually the basis for DDoS reflection attacks [plynt.com].
      • Re: (Score:1, Interesting)

        see my comment [slashdot.org] above...

        you flood the network with "ghosts"... 1,000+ spoofed IP packets for every 1 real one. sort of like under siege dark territory with the ghost satellites.

        it isn't perfect, but provides enough ambiguity to make a counter attack almost pointless for a considerable time.

        • Re: (Score:3, Interesting)

          by Rijnzael (1294596)
          Definitely an interesting thought, though with a MITM attacker (presumably the person one is using Tor/VPN/whathaveyou to hide from) it would be pretty obvious that one isn't actually establishing true communication, as the TCP sequence numbers et al wouldn't make any sense, and the remote machine wouldn't be sending back any data packets. With UDP it might be less obvious, though it would be clear one is only sending and not receiving.
        • "'see my comment [slashdot.org] above...

          you flood the network with "ghosts"... 1,000+ spoofed IP packets for every 1 real one. sort of like under siege dark territory with the ghost satellites.

          it isn't perfect, but provides enough ambiguity to make a counter attack almost pointless for a considerable time."

          And Comcast nukes your connection.

          Seriously, ISPs are already miffed about the bandwidth usage of P2P systems. Intentionally throwing garbage down them intertubes will not only plug them up, but give the

      • by vlm (69642)

        However, I invite you to try to establish a full duplex connection using a spoofed IP.

        I think you're new to ipv6 and are thinking in ipv4 terms.

        At one site I have a tunnel from sixxs (because its dynamic) and another site I have a tunnel from tunnelbroker.net aka everyones favorite ISP he.net (which only works on static IPs, more or less)

        At both sites I have a /48 of which I have a /64 assigned to my ethernet LAN. Based on various blah blah blah you can figure out my MAC address based on my ipv6 address.

        You can also assign multiple arbitrary ipv6 addresses to an interface. One of my boxes

        • by quantumplacet (1195335) on Monday June 21, 2010 @02:03PM (#32643802)

          assigning a second IP address, that you also control, to an interface is not 'spoofing' in any sense of the word. If you assign an IP address that I control, then you're spoofing, at which point you have the same problem in IP6 that you have in IP4.

          • Re: (Score:3, Informative)

            by vlm (69642)

            Kind of two separate arguments.

            Lets look at the original posters claim

            MAC address sure, since your device's MAC address isn't used after your packets reach the ISP's border. However, I invite you to try to establish a full duplex connection using a spoofed IP.

            Now his point is that your MAC is irrelevant beyond your layer 2 link. OK, correct on ipv4.

            However, what if you use ipv6 and RFC 2462 "Stateless Address Autoconfiguration" which basically picks your ipv6 address based on your MAC address. Wedging a 48 bit mac address into, say, a /28 of ipv4 space isn't going to work too well, but wedging a 48 bit mac address into a /64 LAN of ipv6 works pretty well.

            http://www.ietf.org/rfc/rfc2462.txt [ietf.org]

            No

            • by Phs2501 (559902)
              It's not even "spoofing" to pick a random IPv6 address, it's a standard:

              RFC 4941: Privacy Extensions for Stateless Address Autoconfiguration in IPv6 [ietf.org]

              Windows does this by default.

            • by drinkypoo (153816)

              Even worse, the top 24 bits of the mac define the device manufacturer, so no matter where you go in the world, people know you've got an apple, or whatever.

              If you can't change your MAC then your OS and/or driver blow. Even almost every NIC I've plugged into a Windows box has had driver support for MAC changes.

              Now if you do this at work, your local net nanny is going to get all teed off that some "unknown" mac address is online, because look at that ipv6 address that doesnt match any known inventoried hardware MAC address.

              Personally I think that employers that let you connect your devices to their networks are crazy anyway. I could see providing WiFi that is segregated from the corporate network for employee convenience, but then you don't have to worry too much about what is connected, only what it is doing.

            • So why not just hash the netmask and mac together perhaps with a salt value to generate your stateless address. That should give you the same low risk of collisions, while giving you a different address on each network and not exposing any identifying information to remote hosts.
      • by mysidia (191772)

        Full duplex connections are possible.

        It's just necessary for the spoofer to first compromise an appropriate router on your network and setup a tunnel.. Either through brute force, or through well-known vulnerabilities in certain router OSes (which are rarely updated, because most sysadmins don't think the router/firewall is a legitimate target, or just don't bother to follow security updates... It's a firewall after all, so "It must be secure!").

        Or, analyze what IP address space you are announcing, a

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      "Spoofing" an IP address will tend to cause the packets to be delivered to the wrong place.

      On a very different note, it is worth remembering that MAC addresses are embedded in the IPv6 address. If these guys are presenting the idea that you can get a MAC address from an IP address (in IPv6) as a new security flaw, they obviously haven't been reading the RFCs. Why the #*%! do these morons think people are so reluctant to switch to IPv6? Because it makes it very hard to obscure a machine on the Internet, and

  • by bagboy (630125) <neo&arctic,net> on Monday June 21, 2010 @01:27PM (#32643318)
    has not been using pptp for vpn for quite some time. IPSEC (AES) anyone? Just sayin.
    • Any Network Admin worth his weight has not been using pptp for vpn for quite some time. IPSEC (AES) anyone? Just sayin.

      IPSEC doesn't have to use AES, it supports other ciphers. Further, PPTP does not specify encryption, but Windows clients use MPPE, which is RSA RC4.

    • On FreeBSD, sudo portinstall net/mpd5 and editing a config file to configure your IP addresses installs a working PPTP server that an Apple i* can use. Although you may not approve, my boss likes having an easy-to-configure VPN when he's on the road. I like being able to securely surf and IM from open WiFi. IPSEC might be the "better" way, but there's a lot to be said for having something working 5 minutes into trying it for the first time.

      • by drinkypoo (153816)

        FWIW the tools in Win2k and later for IPSEC profile management are pretty fine. I have never actually tried with a windows client with a dynamic IP though :)

        • You're probably right. I just never got to the point of trying, since configuring PPTP was so easy and it works reliably.
          • by drinkypoo (153816)

            I'm fiddling around with Windows 7 Pro right now and it doesn't seem to have the same grade of IPSEC management tools that 2K and XP mostly share. (XP has a bit more, of course.) But perhaps the functionality is moved into another snap-in? I have read that the shrew soft vpn client [shrew.net] (download link) is useful in recent versions but have not yet set up ipsec on my desktop Ubuntu system to find out. I've done ipsec Linux-Linux and HPSUX-Windows but that's it so far.

  • by drinkypoo (153816) <martin.espinoza@gmail.com> on Monday June 21, 2010 @01:27PM (#32643322) Homepage Journal

    You don't need PPTP if you're using IPSEC and IPv6. Even Microsoft clients don't need it any more.

  • IPv6 (Score:5, Funny)

    by Perl-Pusher (555592) on Monday June 21, 2010 @01:30PM (#32643354)
    IPv6, which is a new internet protocol due to replace the current IPv4

    My grand kids will probably be saying that to their grand kids.
    • Actually by then, it'll be IPv6.1 with a single extra bit added to the end of each IP Address, thereby DOUBLING the IP address space.

      • by drinkypoo (153816)

        Actually by then, it'll be IPv6.1 with a single extra bit added to the end of each IP Address, thereby DOUBLING the IP address space.

        Finally! I was wondering when I would have a use for my 129-bit processor design.

      • Re:IPv6 (Score:5, Funny)

        by DdJ (10790) on Monday June 21, 2010 @01:58PM (#32643734) Homepage Journal

        Actually by then, it'll be IPv6.1 ...

        ...unless you're running on a Microsoft operating system, in which case it'll be "IPv6.11 for Workgroups".

      • Re: (Score:1, Troll)

        by vlm (69642)

        I heard, that instead of specifying addresses using hexadecimal digits 0-9 and A-F, some PHD wants to use 0-9 and A-Z. And the offshored helpdesk wants to use unicode characters instead of hexadecimal digits.

        I bet there's a heck of a lot of spreadsheets and ip allocation thingys and map generation scripts and especially webpage javascript validation that won't tolerate "letters" in yer "IP addresses". Underlying OS and apps are generally OK at this point (I've been running ipv6 for many years from various

    • Re: (Score:2, Interesting)

      by xanadu113 (657977)
      Right after we get switched to the metric system!

      In elementary school, they ONLY taught me the metric system, because it was going to replace the english system by the time I graduated high school... I'm still waiting...
      • Maybe you needed a different school. My education started in the '60s, and we learned to cope with both.
        • Yes, what BrokenHalo says. I started school in 1961, and learned pounds, ounces, etc. Somewhere along - ohhhh - 6th grade I think, they told us that within a couple years we wouldn't see any of that stuff, we needed to learn metric.

          Metric is so easy - if you can count to ten, you have metric mastered. I've never figured out why people claim they have a hard time with it. Everything is powers of ten - everything. Almost everyone is born with ten appendages at the ends of their arms, right? Yeah, yeah,

          • The downside to a base 10 measurement system is that it only has two factors: 2 and 5.

            It seems to be a lot more common to divide physical quantities into thirds than fifths so you are giving up something when you switch from a system that has 3 prime factors to one that only has 2.

            The cost/benefit ratio is probably in favor of the metric system in most cases, but don't dismiss the possibility that it might not be in all cases.

            • by hoggoth (414195)

              3 and 1/3rd. 3.33. Was that so hard?
              If you are measuring flour for a cake and put in 3.34 or 3.32 I'm sure everyone will be polite and not tell you how bad it turned out.

              Or maybe you are calculating interstellar probe trajectories without a calculator?

              • If you have a 3 1/3 ml measuring spoon, you’ve basically defeated your nice power-of-10 system.

                • If you put 100g of yeast in a 1kg loaf of bread simply because it's a nice round number in your power-of-10 system, you're going to end up with something you don't want to eat.
                  • So... what you're telling me is that while nice round numbers are handy for mathimatics, they aren't practically useful in real-life applications.

                    Well, that's what we've been trying to tell you all along.

                    So, we end up having 3 Tsp. per 1 Tbsp. Why? Because it was convenient in real life, not on a page of numbers.

              • How about a space shuttle?

        • by Sir_Lewk (967686)

          I went to school in the 90s and only learned metric. It was my understanding that this was pretty universal among public schools in my area.

          Really, if everyone stopped using imperial units tomorrow, I'd venture to guess that only a handful of old geezers would have any trouble with it.

      • by CFD339 (795926)

        Did they teach entirely in Esperanto as well?

      • Sheesh, I’d tell them to give it up and just let me graduate high school finally.

  • Now they have my IP address: 192.160.0.1

    • by sconeu (64226)

      Did you mean 192.168.0.1?

      192.168/16 is the private address. 192.160/16 is not.

      • Did you mean 192.168.0.1? 192.168/16 is the private address. 192.160/16 is not.

        Stealth... You're doing it wrong.

    • by Tanman (90298)

      Now they know what subset of brands your router is manufactured by, since various ones assign different local ip addresses. This lets them target attacks more specifically or search out vulnerabilities specific to certain known firmware issues.

    • by sharkey (16670)
      May be, but there's NO WAY they're getting 127.0.0.1. That's MINE!
  • by Bob_Who (926234) <Bob&who,net> on Monday June 21, 2010 @01:51PM (#32643642) Homepage Journal

    The only flaw is when people believe that VPN or any other network technology streaming on the public superhighway via telecoms and satellite networks is absolutely private and secure 100% of the time. Once you fix that defect, the rest won't matter anymore. Too bad our national security experts are having so much difficulty with that concept, since its bad for business to accept reality or to tell the truth, in general.

  • So, what's the move? (Score:3, Interesting)

    by b0bby (201198) on Monday June 21, 2010 @01:57PM (#32643718) Homepage

    What, then, is the best way to preserve anonymity when using, for instance, BitTorrent? I have looked at services like BTGuard & Predator, but there's always a little spidey-sense tingle of lack of trust...

  • doesen't IPv6 drop some of need for VPN?

    But then the ISP need to do there part and give you more then 1 ip.

    • by vlm (69642)

      doesen't IPv6 drop some of need for VPN?

      http://en.wikipedia.org/wiki/IPv6#Mandatory_network_layer_security [wikipedia.org]

      IPSec is mandatory for "full ipv6 support", and of course almost no one uses it.

      Its kind of like saying having https webservers removes all need for VPNs. Well, not exactly.

      But then the ISP need to do there part and give you more then 1 ip.

      I'm not aware of any tunnelbroker whom won't give you a /48 for your LAN, at this time. ISPs, being ISPs, will find a way to F it all up, I'm sure.

    • On IPv6, they shouldn't ever be giving you less than a /64 and a /48 if you request it (or pay more or whatever). NATing is apparently against the law, but we overlook it because otherwise IPv4 would be broken already. My thinking is that NATing on IPv6 will continue to be OK for security reasons, but it's supposed to be completely unnecessary since we'll have enough IPv6 addresses to give one to every grain of sand on earth or whatever.
      • Re: (Score:3, Interesting)

        by vlm (69642)

        My thinking is that NATing on IPv6 will continue to be OK for security reasons

        My thinking is we're going to see massive namespace pollution in the marketing world. Since most people use "nat security" as basically a complicated as heck one way valve, and its "expensive" to do nat compared to simple state based firewalls, I suspect the marketing droids are going to get simple state based firewalls that only allow outgoing connections from engineering, and then sell them as "ipv6 NAT" even though theres no address translation going on.

        After all, its the same as ipv6 NAT because it all

  • by SJ2000 (1128057) on Monday June 21, 2010 @01:58PM (#32643732) Homepage
    • Re: (Score:1, Informative)

      by Anonymous Coward

      Unfortunately the talk is structured very poorly. The talk is about several deanonymization techniques: Flash, which allegedly does not respect proxy settings (I think it's an option), can be used to establish connections outside of the VPN if you can make the victim open a web page. Alternatives are image URLs with FTP or other protocols for which no proxy on the VPN is configured, etc. The IPv6 problem is of the same nature: If you link to an image with an IPv6 address in the URL, the request will not go

      • by materi (1835936)
        Was this all that they talked about? nothing specific to PPTP as title suggests? then meh, not really news. I would have liked to listen to the talks if I could find a source with decent quality audio...
  • rather wish I had not.
  • Hey um... I was just kidding about the whole overthrow the government thing. And the kiddie pics were for a research project. Like Pete Townshend. Yeah, just like Pete Townshend. And I purchased all of those songs and movies and just needed backup copies.

  • The Swedish anti-piracy bureau could already be gathering data using the exploit."

    Um, not sure about Swedish law, but isn't this similar to like, breaking DVD encryption? Just because the encryption is week or has a security flaw in it, I am pretty sure it is still illegal to break or exploit it. If that's the case, could IP addresses gathered using this exploit be permissable in a court of law?

    Just wondering out loud

    • by b0bby (201198)

      My basic understanding of it is that they're not breaking any encryption, they're just using this flaw to gather your real IP address when you are going through a VPN endpoint. Your hope would be that all anyone monitoring a torrent could see would be the address of your VPN endpoint (probably from a VPN provider like The Pirate Bay), but instead they're able to gather more information, presumably so they can identify and sue you.

      • by hag3r (770359)
        And even if they were breaking laws, any evidence they found would still be permissible in a Swedish courtroom if I'm not mistaken.
    • by Husgaard (858362)

      In Swedish law, even evidence gathered illegally is permissive in court.

      And with the new IPRED legislation in Sweden from last year, the anti-piracy now have better means of obtaining evidence for civil court cases (pay us, or we sue) than the Swedish police has for criminal file sharing cases.

  • The article wasn't terribly well written. I would say it is not a big deal at all because the traffic between the tunnel end-points is encrypted anyway. I smell an attempt to spread FUD about IPv6 and I happen to like IPv6.
  • As far as I can see, the vulnerability he talks about in the video is basically "if you use a VPN, but you don't put IPv6 traffic over the VPN, IPv6 traffic won't go over the VPN".

    It seems a bit unfair to blame IPv6 for this; after all, IPv4 suffers from the same vulnerability.

  • PPTP can rot as far as I care. I've been using OpenVPN [openvpn.net] for a while now. It is much easier to set up, much less intrusive and much more secure.

  • I noticed just today that Windows 7 was NOT using the standard EUI-64 (derived from MAC address) data in their auto-configured IPv6 addresses. Instead, the addresses seemed to be randomly generated. Maybe someone at Microsoft understood this issue ahead of time.

    • I noticed just today that Windows 7 was NOT using the standard EUI-64 (derived from MAC address) data in their auto-configured IPv6 addresses. Instead, the addresses seemed to be randomly generated. Maybe someone at Microsoft understood this issue ahead of time.

      What? Microsoft understood something?! What are you thinking?! Of course they didn't understand it.

      What really happened is that Microsoft either couldn't figure out how to generate an IP address including the MAC, or they didn't even read the RFC, and don't realize that's what's supposed to happen.

      Microsoft understood the issue.

      Sheesh.

  • However, this can be done by any average user in Windows:

    http://www.youtube.com/watch?v=SXmv8quf_xM [youtube.com]
    ...LOL

1 Mole = 25 Cagey Bees

Working...