Login
Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a targetβs traffic off of the protection provided by their VPN without triggering any alerts to the user.
Image: Shutterstock.
When a device initially tries to connect to a network, it broadcasts a message to the entire local network stating that it is requesting an Internet address. Normally, the only system on the network that notices this request and replies is the router responsible for managing the network to which the user is trying to connect.
The machine on a network responsible for fielding these requests is called a Dynamic Host Configuration Protocol (DHCP) server, which will issue time-based leases for IP addresses. The DHCP server also takes care of setting a specific local address β known as an Internet gateway β that all connecting systems will use as a primary route to the Web.
VPNs work by creating a virtual network interface that serves as an encrypted tunnel for communications. But researchers at Leviathan Security say theyβve discovered itβs possible to abuse an obscure feature built into the DHCP standard so that other users on the local network are forced to connect to a rogue DHCP server.
βOur technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway,β Leviathan researchers Lizzie Moratti and Dani Cronce wrote. βWhen the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.β
The feature being abused here is known as DHCP option 121, and it allows a DHCP server to set a route on the VPN userβs system that is more specific than those used by most VPNs. Abusing this option, Leviathan found, effectively gives an attacker on the local network the ability to set up routing rules that have a higher priority than the routes for the virtual network interface that the targetβs VPN creates.
βPushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface,β the Leviathan researchers said. βThis is intended functionality that isnβt clearly stated in the RFC [standard]. Therefore, for the routes we push, it is never encrypted by the VPNβs virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.β
Leviathan found they could force VPNs on the local network that already had a connection to arbitrarily request a new one. In this well-documented tactic, known as a DHCP starvation attack, an attacker floods the DHCP server with requests that consume all available IP addresses that can be allocated. Once the networkβs legitimate DHCP server is completely tied up, the attacker can then have their rogue DHCP server respond to all pending requests.
βThis technique can also be used against an already established VPN connection once the VPN userβs host needs to renew a lease from our DHCP server,β the researchers wrote. βWe can artificially create that scenario by setting a short lease time in the DHCP lease, so the user updates their routing table more frequently. In addition, the VPN control channel is still intact because it already uses the physical interface for its communication. In our testing, the VPN always continued to report as connected, and the kill switch was never engaged to drop our VPN connection.β
The researchers say their methods could be used by an attacker who compromises a DHCP server or wireless access point, or by a rogue network administrator who owns the infrastructure themselves and maliciously configures it. Alternatively, an attacker could set up an βevil twinβ wireless hotspot that mimics the signal broadcast by a legitimate provider.
Bill Woodcock is executive director at Packet Clearing House, a nonprofit based in San Francisco. Woodcock said Option 121 has been included in the DHCP standard since 2002, which means the attack described by Leviathan has technically been possible for the last 22 years.
βTheyβre realizing now that this can be used to circumvent a VPN in a way thatβs really problematic, and theyβre right,β Woodcock said.
Woodcock said anyone who might be a target of spear phishing attacks should be very concerned about using VPNs on an untrusted network.
βAnyone who is in a position of authority or maybe even someone who is just a high net worth individual, those are all very reasonable targets of this attack,β he said. βIf I were trying to do an attack against someone at a relatively high security company and I knew where they typically get their coffee or sandwich at twice a week, this is a very effective tool in that toolbox. Iβd be a little surprised if it wasnβt already being exploited in that way, because again this isnβt rocket science. Itβs just thinking a little outside the box.β
Successfully executing this attack on a network likely would not allow an attacker to see all of a targetβs traffic or browsing activity. Thatβs because for the vast majority of the websites visited by the target, the content is encrypted (the siteβs address begins with https://). However, an attacker would still be able to see the metadata β such as the source and destination addresses β of any traffic flowing by.
KrebsOnSecurity shared Leviathanβs research with John Kristoff, founder of dataplane.org and a PhD candidate in computer science at the University of Illinois Chicago. Kristoff said practically all user-edge network gear, including WiFi deployments, support some form of rogue DHCP server detection and mitigation, but that itβs unclear how widely deployed those protections are in real-world environments.
βHowever, and I think this is a key point to emphasize, an untrusted network is an untrusted network, which is why youβre usually employing the VPN in the first place,β Kristoff said. βIf [the] local network is inherently hostile and has no qualms about operating a rogue DHCP server, then this is a sneaky technique that could be used to de-cloak some traffic β and if done carefully, Iβm sure a user might never notice.β
According to Leviathan, there are several ways to minimize the threat from rogue DHCP servers on an unsecured network. One is using a device powered by the Android operating system, which apparently ignores DHCP option 121.
Relying on a temporary wireless hotspot controlled by a cellular device you own also effectively blocks this attack.
βThey create a password-locked LAN with automatic network address translation,β the researchers wrote of cellular hot-spots. βBecause this network is completely controlled by the cellular device and requires a password, an attacker should not have local network access.β
Leviathanβs Moratti said another mitigation is to run your VPN from inside of a virtual machine (VM) β like Parallels, VMware or VirtualBox. VPNs run inside of a VM are not vulnerable to this attack, Moratti said, provided they are not run in βbridged mode,β which causes the VM to replicate another node on the network.
In addition, a technology called βdeep packet inspectionβ can be used to deny all in- and outbound traffic from the physical interface except for the DHCP and the VPN server. However, Leviathan says this approach opens up a potential βside channelβ attack that could be used to determine the destination of traffic.
βThis could be theoretically done by performing traffic analysis on the volume a target user sends when the attackerβs routes are installed compared to the baseline,β they wrote. βIn addition, this selective denial-of-service is unique as it could be used to censor specific resources that an attacker doesnβt want a target user to connect to even while they are using the VPN.β
Moratti said Leviathanβs research shows that many VPN providers are currently making promises to their customers that their technology canβt keep.
βVPNs werenβt designed to keep you more secure on your local network, but to keep your traffic more secure on the Internet,β Moratti said. βWhen you start making assurances that your product protects people from seeing your traffic, thereβs an assurance or promise that canβt be met.β
A copy of Leviathanβs research, along with code intended to allow others to duplicate their findings in a lab environment, is available here.
Automate the process of analyzing web server logs with the Python Web Log Analyzer. This powerful tool is designed to enhance security by identifying and detecting various types of cyber attacks within your server logs. Stay ahead of potential threats with features that include:
Attack Detection: Identify and flag potential Cross-Site Scripting (XSS), Local File Inclusion (LFI), Remote File Inclusion (RFI), and other common web application attacks.
Rate Limit Monitoring: Detect suspicious patterns in multiple requests made in a short time frame, helping to identify brute-force attacks or automated scanning tools.
Automated Scanner Detection: Keep your web applications secure by identifying requests associated with known automated scanning tools or vulnerability scanners.
User-Agent Analysis: Analyze and identify potentially malicious User-Agent strings, allowing you to spot unusual or suspicious behavior.
This project is actively developed, and future features may include:
The tool only requires Python 3 at the moment.
After cloning the repository to your local machine, you can initiate the application by executing the command python3 WLA-cli.py. simple usage example : python3 WLA-cli.py -l LogSampls/access.log -t
use -h or --help for more detailed usage examples : python3 WLA-cli.py -h
linkdin:(https://www.linkedin.com/in/oudjani-seyyid-taqy-eddine-b964a5228)
FreshRSS 