VPN Flaw Shows Users' IP Addresses

AHuxley writes "A VPN flaw announced at the Telecomix Cyphernetics Assembly in Sweden allows individual users to be identified. 'The flaw is caused by a combination of IPv6, which is a new Internet protocol due to replace the current IPv4, and PPTP (point-to-point tunneling protocol)-based VPN services, which are the most widely used. ... The flaw means that the IP address of a user hiding behind a VPN can still be found, thanks to the connection broadcasting information that can be used to identify it. It's also relatively easy to find a MAC address (which identifies a particular device) and a computer's name on the network that it's on.' The Swedish anti-piracy bureau could already be gathering data using the exploit."

Re:Tor

[Rijnzael]

I seriously doubt any reasonable level of donations will ever allow the Tor network to add the kind of capacity required to torrent. I think it has many more important needs than that anyway.

Re:Tor

[TheRealMindChild]

Not only that, but Tor isn't nearly as secure as most people think it is

Re:

[Rijnzael]

Good point, anyone can host a Tor node, and I'm sure we can bet the bad guys are hosting just as many or more than the good guys. Web of trust for Tor, anyone?

Re:

[bsDaemon]

In order to have a web of trust, don't you need to be able to establish the identity of the other people in your web to a reasonable degree of certainty? Wouldn't verifiable identities undermine the concept of anonymity that is the whole purpose of Tor?

Re:

[Rijnzael]

The Tor nodes themselves are actually quite identified, as you can see by the hostnames/IP's of the nodes themselves. The clients are the ones who are anonymous, as is intended.

Re:

[negRo_slim]

And information that resides on the Tor network itself never needs an exit node at all.

Re:

[mrsteveman1]

That only matters for exit traffic, onion site traffic can't be easily sniffed by nodes

Re:

[Rijnzael]

I think persistently sending a file over SSL over Tor to wikileaks might be somewhat suspicious to a malicious man in the middle listening for as much. Hiding who one is talking to is still as important as hiding what is said.

Re:

[Tacvek]

Somebody who listens to your tor traffic at your end has absolutely no way of telling who you are communicating with. so who you are talking to is just as hidden as what you say. All packets in the tor network are encrypted in such a way that the contents are only ever known by the exit node. There is little point in using SSL if sending a file to wikieaks via tor, since only wikileaks and the exit node would see the plaintext even over plain old http, and neither would be able to determine who or where the

Re:

[Hatta]

The exit node might know that there's an SSL connection going through his computer that terminates at wikileaks. If everything is configured properly he should be unable to determine where that SSL connection originated.

Re:

[mysidia]

Of course if the sender were really paranoid, that SSL connection's IP destination could be a SSL VPN to another anonymizing service, instead of Wikileaks.

And that anonymize service could open yet another SSL connection through the tor network, through a different TOR client, terminating at Wikileaks.

Someone really paranoid will build a chain of encrypted anonymizers, and sign up for accounts on the additional anonymizer services while already anonymous, so a chain is built of services and nested leve

Re:

[Runaway1956]

http://www.i2p2.de/ [i2p2.de]

Considerably more secure than TOR, but not any faster.

And, the donations most needed by any such community, is the donation of BANDWIDTH. Exit nodes, or the lack of exit nodes, are the most limiting factors with any of the darkweb softwares.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

garbage in, garbage out...

[Michael Kristopeit]

it's also relatively easy to spoof an IP address or MAC address.

Re:garbage in, garbage out...

[dotgain]

And it's just as sensible as spoofing your home address when ordering pizza that you ultimately want to eat.

Re:

[clone53421]

All he’d have to do is filter the IP addresses to only identify one(s) that requested/received all of the data. Which is probably just one IP. Which is yours.

Re:

[Sir_Lewk]

That applies for spoofing your IP address, but not for spoofing your MAC address.

Re:

[dotgain]

Fair enough. As my laptop and WiFi capable phone go from place to place, my (unspoofed) MAC address gets pissed all over the place. Much like the licence plate on my car does. This doesn't really bother me.

Re:

[Rijnzael]

MAC address sure, since your device's MAC address isn't used after your packets reach the ISP's border. However, I invite you to try to establish a full duplex connection using a spoofed IP. Sure, you can send packets using a spoofed IP provided your ISP allows you to send packets for IP's which they don't announce, but you're not getting the response to that packet back. This is actually the basis for DDoS reflection attacks [plynt.com].

Re:

[Michael Kristopeit]

see my comment [slashdot.org] above...

you flood the network with "ghosts"... 1,000+ spoofed IP packets for every 1 real one. sort of like under siege dark territory with the ghost satellites.

it isn't perfect, but provides enough ambiguity to make a counter attack almost pointless for a considerable time.

Re:

[Rijnzael]

Definitely an interesting thought, though with a MITM attacker (presumably the person one is using Tor/VPN/whathaveyou to hide from) it would be pretty obvious that one isn't actually establishing true communication, as the TCP sequence numbers et al wouldn't make any sense, and the remote machine wouldn't be sending back any data packets. With UDP it might be less obvious, though it would be clear one is only sending and not receiving.

Re:

[Rijnzael]

Ah, I was talking in general. I don't think most VPN daemons would accept and transmit as expected an IP packet addressed from an incorrectly sourced IP, probably due to no entry in the ARP table and (from pure gut feeling) other reasons I might be unfamiliar with.

Re:

[Anachragnome]

"'see my comment [slashdot.org] above...

you flood the network with "ghosts"... 1,000+ spoofed IP packets for every 1 real one. sort of like under siege dark territory with the ghost satellites.

it isn't perfect, but provides enough ambiguity to make a counter attack almost pointless for a considerable time."

And Comcast nukes your connection.

Seriously, ISPs are already miffed about the bandwidth usage of P2P systems. Intentionally throwing garbage down them intertubes will not only plug them up, but give the

Re:

[vlm]

However, I invite you to try to establish a full duplex connection using a spoofed IP.

I think you're new to ipv6 and are thinking in ipv4 terms.

At one site I have a tunnel from sixxs (because its dynamic) and another site I have a tunnel from tunnelbroker.net aka everyones favorite ISP he.net (which only works on static IPs, more or less)

At both sites I have a /48 of which I have a /64 assigned to my ethernet LAN. Based on various blah blah blah you can figure out my MAC address based on my ipv6 address.

You can also assign multiple arbitrary ipv6 addresses to an interface. One of my boxes

Re:garbage in, garbage out...

[quantumplacet]

assigning a second IP address, that you also control, to an interface is not 'spoofing' in any sense of the word. If you assign an IP address that I control, then you're spoofing, at which point you have the same problem in IP6 that you have in IP4.

Re:

[vlm]

Kind of two separate arguments.

Lets look at the original posters claim

MAC address sure, since your device's MAC address isn't used after your packets reach the ISP's border. However, I invite you to try to establish a full duplex connection using a spoofed IP.

Now his point is that your MAC is irrelevant beyond your layer 2 link. OK, correct on ipv4.

However, what if you use ipv6 and RFC 2462 "Stateless Address Autoconfiguration" which basically picks your ipv6 address based on your MAC address. Wedging a 48 bit mac address into, say, a /28 of ipv4 space isn't going to work too well, but wedging a 48 bit mac address into a /64 LAN of ipv6 works pretty well.

http://www.ietf.org/rfc/rfc2462.txt [ietf.org]

No

Re:

[Phs2501]

It's not even "spoofing" to pick a random IPv6 address, it's a standard:

RFC 4941: Privacy Extensions for Stateless Address Autoconfiguration in IPv6 [ietf.org]

Windows does this by default.

Re:

[drinkypoo]

Even worse, the top 24 bits of the mac define the device manufacturer, so no matter where you go in the world, people know you've got an apple, or whatever.

If you can't change your MAC then your OS and/or driver blow. Even almost every NIC I've plugged into a Windows box has had driver support for MAC changes.

Now if you do this at work, your local net nanny is going to get all teed off that some "unknown" mac address is online, because look at that ipv6 address that doesnt match any known inventoried hardware MAC address.

Personally I think that employers that let you connect your devices to their networks are crazy anyway. I could see providing WiFi that is segregated from the corporate network for employee convenience, but then you don't have to worry too much about what is connected, only what it is doing.

Re:

[complete loony]

So why not just hash the netmask and mac together perhaps with a salt value to generate your stateless address. That should give you the same low risk of collisions, while giving you a different address on each network and not exposing any identifying information to remote hosts.

Re:

[mysidia]

Full duplex connections are possible.

It's just necessary for the spoofer to first compromise an appropriate router on your network and setup a tunnel.. Either through brute force, or through well-known vulnerabilities in certain router OSes (which are rarely updated, because most sysadmins don't think the router/firewall is a legitimate target, or just don't bother to follow security updates... It's a firewall after all, so "It must be secure!").

Or, analyze what IP address space you are announcing, a

Re:

[Anonymous Coward]

"Spoofing" an IP address will tend to cause the packets to be delivered to the wrong place.

On a very different note, it is worth remembering that MAC addresses are embedded in the IPv6 address. If these guys are presenting the idea that you can get a MAC address from an IP address (in IPv6) as a new security flaw, they obviously haven't been reading the RFCs. Why the #*%! do these morons think people are so reluctant to switch to IPv6? Because it makes it very hard to obscure a machine on the Internet, and

Any Network Admin worth his weight...

[bagboy]

has not been using pptp for vpn for quite some time. IPSEC (AES) anyone? Just sayin.

Re:Any Network Admin worth his weight...

[drinkypoo]

Any Network Admin worth his weight has not been using pptp for vpn for quite some time. IPSEC (AES) anyone? Just sayin.

IPSEC doesn't have to use AES, it supports other ciphers. Further, PPTP does not specify encryption, but Windows clients use MPPE, which is RSA RC4.

Re:

[Just Some Guy]

On FreeBSD, sudo portinstall net/mpd5 and editing a config file to configure your IP addresses installs a working PPTP server that an Apple i* can use. Although you may not approve, my boss likes having an easy-to-configure VPN when he's on the road. I like being able to securely surf and IM from open WiFi. IPSEC might be the "better" way, but there's a lot to be said for having something working 5 minutes into trying it for the first time.

Re:

[drinkypoo]

FWIW the tools in Win2k and later for IPSEC profile management are pretty fine. I have never actually tried with a windows client with a dynamic IP though :)

Re:

[Just Some Guy]

You're probably right. I just never got to the point of trying, since configuring PPTP was so easy and it works reliably.

Re:

[drinkypoo]

I'm fiddling around with Windows 7 Pro right now and it doesn't seem to have the same grade of IPSEC management tools that 2K and XP mostly share. (XP has a bit more, of course.) But perhaps the functionality is moved into another snap-in? I have read that the shrew soft vpn client [shrew.net] (download link) is useful in recent versions but have not yet set up ipsec on my desktop Ubuntu system to find out. I've done ipsec Linux-Linux and HPSUX-Windows but that's it so far.

Wait, IPv6+PPTP+IPSEC only?

[drinkypoo]

You don't need PPTP if you're using IPSEC and IPv6. Even Microsoft clients don't need it any more.

IPv6

[Perl-Pusher]

IPv6, which is a new internet protocol due to replace the current IPv4

My grand kids will probably be saying that to their grand kids.

Re:

[Monkeedude1212]

Actually by then, it'll be IPv6.1 with a single extra bit added to the end of each IP Address, thereby DOUBLING the IP address space.

Re:

[drinkypoo]

Actually by then, it'll be IPv6.1 with a single extra bit added to the end of each IP Address, thereby DOUBLING the IP address space.

Finally! I was wondering when I would have a use for my 129-bit processor design.

Re:IPv6

[DdJ]

Actually by then, it'll be IPv6.1 ...

...unless you're running on a Microsoft operating system, in which case it'll be "IPv6.11 for Workgroups".

Re:

[vlm]

I heard, that instead of specifying addresses using hexadecimal digits 0-9 and A-F, some PHD wants to use 0-9 and A-Z. And the offshored helpdesk wants to use unicode characters instead of hexadecimal digits.

I bet there's a heck of a lot of spreadsheets and ip allocation thingys and map generation scripts and especially webpage javascript validation that won't tolerate "letters" in yer "IP addresses". Underlying OS and apps are generally OK at this point (I've been running ipv6 for many years from various

Re:

[xanadu113]

Right after we get switched to the metric system!

In elementary school, they ONLY taught me the metric system, because it was going to replace the english system by the time I graduated high school... I'm still waiting...

Re:

[BrokenHalo]

Maybe you needed a different school. My education started in the '60s, and we learned to cope with both.

Re:

[Runaway1956]

Yes, what BrokenHalo says. I started school in 1961, and learned pounds, ounces, etc. Somewhere along - ohhhh - 6th grade I think, they told us that within a couple years we wouldn't see any of that stuff, we needed to learn metric.

Metric is so easy - if you can count to ten, you have metric mastered. I've never figured out why people claim they have a hard time with it. Everything is powers of ten - everything. Almost everyone is born with ten appendages at the ends of their arms, right? Yeah, yeah,

Re:

[Wonko the Sane]

The downside to a base 10 measurement system is that it only has two factors: 2 and 5.

It seems to be a lot more common to divide physical quantities into thirds than fifths so you are giving up something when you switch from a system that has 3 prime factors to one that only has 2.

The cost/benefit ratio is probably in favor of the metric system in most cases, but don't dismiss the possibility that it might not be in all cases.

Re:

[hoggoth]

3 and 1/3rd. 3.33. Was that so hard?
If you are measuring flour for a cake and put in 3.34 or 3.32 I'm sure everyone will be polite and not tell you how bad it turned out.

Or maybe you are calculating interstellar probe trajectories without a calculator?

Re:

[clone53421]

If you have a 3 1/3 ml measuring spoon, you’ve basically defeated your nice power-of-10 system.

Re:

[BrokenHalo]

If you put 100g of yeast in a 1kg loaf of bread simply because it's a nice round number in your power-of-10 system, you're going to end up with something you don't want to eat.

Re:

[clone53421]

So... what you're telling me is that while nice round numbers are handy for mathimatics, they aren't practically useful in real-life applications.

Well, that's what we've been trying to tell you all along.

So, we end up having 3 Tsp. per 1 Tbsp. Why? Because it was convenient in real life, not on a page of numbers.

Re:

[uniquegeek]

How about a space shuttle?

Re:

[Sir_Lewk]

I went to school in the 90s and only learned metric. It was my understanding that this was pretty universal among public schools in my area.

Really, if everyone stopped using imperial units tomorrow, I'd venture to guess that only a handful of old geezers would have any trouble with it.

Re:

[Ares]

Canada is officially metric, which is to say official pieces of info like speed limits and driver's license weight, height, and eye colour.

metric eye colors, eh?

Re:

[gknoy]

metric eye colors, eh?

Yeah, they list your eye color in nanometers.

Re:

[CFD339]

Did they teach entirely in Esperanto as well?

Re:

[clone53421]

Sheesh, I’d tell them to give it up and just let me graduate high school finally.

Oh no

[Smallpond]

Now they have my IP address: 192.160.0.1

Re:

[sconeu]

Did you mean 192.168.0.1?

192.168/16 is the private address. 192.160/16 is not.

Re:

[kaizendojo]

Did you mean 192.168.0.1? 192.168/16 is the private address. 192.160/16 is not.

Stealth... You're doing it wrong.

Re:

[Tanman]

Now they know what subset of brands your router is manufactured by, since various ones assign different local ip addresses. This lets them target attacks more specifically or search out vulnerabilities specific to certain known firmware issues.

Re:

[sharkey]

May be, but there's NO WAY they're getting 127.0.0.1. That's MINE!

User flaw shows dilluded sense of privacy on net

[Bob_Who]

The only flaw is when people believe that VPN or any other network technology streaming on the public superhighway via telecoms and satellite networks is absolutely private and secure 100% of the time. Once you fix that defect, the rest won't matter anymore. Too bad our national security experts are having so much difficulty with that concept, since its bad for business to accept reality or to tell the truth, in general.

So, what's the move?

[b0bby]

What, then, is the best way to preserve anonymity when using, for instance, BitTorrent? I have looked at services like BTGuard & Predator, but there's always a little spidey-sense tingle of lack of trust...

doesen't IPv6 drop some of need for VPN?

[Joe The Dragon]

doesen't IPv6 drop some of need for VPN?

But then the ISP need to do there part and give you more then 1 ip.

Re:

[vlm]

doesen't IPv6 drop some of need for VPN?

http://en.wikipedia.org/wiki/IPv6#Mandatory_network_layer_security [wikipedia.org]

IPSec is mandatory for "full ipv6 support", and of course almost no one uses it.

Its kind of like saying having https webservers removes all need for VPNs. Well, not exactly.

But then the ISP need to do there part and give you more then 1 ip.

I'm not aware of any tunnelbroker whom won't give you a /48 for your LAN, at this time. ISPs, being ISPs, will find a way to F it all up, I'm sure.

Re:

[spottedkangaroo]

On IPv6, they shouldn't ever be giving you less than a /64 and a /48 if you request it (or pay more or whatever). NATing is apparently against the law, but we overlook it because otherwise IPv4 would be broken already. My thinking is that NATing on IPv6 will continue to be OK for security reasons, but it's supposed to be completely unnecessary since we'll have enough IPv6 addresses to give one to every grain of sand on earth or whatever.

Re:

[vlm]

My thinking is that NATing on IPv6 will continue to be OK for security reasons

My thinking is we're going to see massive namespace pollution in the marketing world. Since most people use "nat security" as basically a complicated as heck one way valve, and its "expensive" to do nat compared to simple state based firewalls, I suspect the marketing droids are going to get simple state based firewalls that only allow outgoing connections from engineering, and then sell them as "ipv6 NAT" even though theres no address translation going on.

After all, its the same as ipv6 NAT because it all

Cipher Conference Video

[SJ2000]

The conference video apparently. [bambuser.com]

Re:

[Anonymous Coward]

Unfortunately the talk is structured very poorly. The talk is about several deanonymization techniques: Flash, which allegedly does not respect proxy settings (I think it's an option), can be used to establish connections outside of the VPN if you can make the victim open a web page. Alternatives are image URLs with FTP or other protocols for which no proxy on the VPN is configured, etc. The IPv6 problem is of the same nature: If you link to an image with an IPv6 address in the URL, the request will not go

Re:

[materi]

Was this all that they talked about? nothing specific to PPTP as title suggests? then meh, not really news. I would have liked to listen to the talks if I could find a source with decent quality audio...

I RTFA but..

[rwwyatt]

rather wish I had not.

IP address leaked?

[hoggoth]

Hey um... I was just kidding about the whole overthrow the government thing. And the kiddie pics were for a research project. Like Pete Townshend. Yeah, just like Pete Townshend. And I purchased all of those songs and movies and just needed backup copies.

Wait, hold on...

[gravis777]

The Swedish anti-piracy bureau could already be gathering data using the exploit."

Um, not sure about Swedish law, but isn't this similar to like, breaking DVD encryption? Just because the encryption is week or has a security flaw in it, I am pretty sure it is still illegal to break or exploit it. If that's the case, could IP addresses gathered using this exploit be permissable in a court of law?

Just wondering out loud

Re:

[b0bby]

My basic understanding of it is that they're not breaking any encryption, they're just using this flaw to gather your real IP address when you are going through a VPN endpoint. Your hope would be that all anyone monitoring a torrent could see would be the address of your VPN endpoint (probably from a VPN provider like The Pirate Bay), but instead they're able to gather more information, presumably so they can identify and sue you.

Re:

[hag3r]

And even if they were breaking laws, any evidence they found would still be permissible in a Swedish courtroom if I'm not mistaken.

Re:

[Husgaard]

In Swedish law, even evidence gathered illegally is permissive in court.

And with the new IPRED legislation in Sweden from last year, the anti-piracy now have better means of obtaining evidence for civil court cases (pay us, or we sue) than the Swedish police has for criminal file sharing cases.

Well

[DaMattster]

The article wasn't terribly well written. I would say it is not a big deal at all because the traffic between the tunnel end-points is encrypted anyway. I smell an attempt to spread FUD about IPv6 and I happen to like IPv6.

Not IPv6's fault

[Dagger2]

As far as I can see, the vulnerability he talks about in the video is basically "if you use a VPN, but you don't put IPv6 traffic over the VPN, IPv6 traffic won't go over the VPN".

It seems a bit unfair to blame IPv6 for this; after all, IPv4 suffers from the same vulnerability.

OpenVPN anyone?

[Narcocide]

PPTP can rot as far as I care. I've been using OpenVPN [openvpn.net] for a while now. It is much easier to set up, much less intrusive and much more secure.

Windows 7

[Skapare]

I noticed just today that Windows 7 was NOT using the standard EUI-64 (derived from MAC address) data in their auto-configured IPv6 addresses. Instead, the addresses seemed to be randomly generated. Maybe someone at Microsoft understood this issue ahead of time.

Re:

[cbiltcliffe]

I noticed just today that Windows 7 was NOT using the standard EUI-64 (derived from MAC address) data in their auto-configured IPv6 addresses. Instead, the addresses seemed to be randomly generated. Maybe someone at Microsoft understood this issue ahead of time.

What? Microsoft understood something?! What are you thinking?! Of course they didn't understand it.

What really happened is that Microsoft either couldn't figure out how to generate an IP address including the MAC, or they didn't even read the RFC, and don't realize that's what's supposed to happen.

Microsoft understood the issue.

Sheesh.

tracert = hax0r tool!

[that IT girl]

However, this can be done by any average user in Windows:

http://www.youtube.com/watch?v=SXmv8quf_xM [youtube.com]
...LOL