What's new

Using an obscure DHCP feature to abuse your VPN connection

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Viktor Jaep

Part of the Furniture
The way it is described - the attacker has to have access to your LAN first. VPN tunnel encryption doesn't come into play because the client traffic is re-routed around it. This thing needs knowledge about the network, time to plan plus extra hardware/software to execute. In a corporate environment it will be caught as suspicious activity perhaps immediately. The idea looks similar to common IPv6 leaks happening "automatically" on home routers, but done in a more sophisticated way using single protocol.
 
The way it is described - the attacker has to have access to your LAN first. VPN tunnel encryption doesn't come into play because the client traffic is re-routed around it. This thing needs knowledge about the network, time to plan plus extra hardware/software to execute. In a corporate environment it will be caught as suspicious activity perhaps immediately. The idea looks similar to common IPv6 leaks happening "automatically" on home routers, but done in a more sophisticated way using single protocol.
Which is why setting up a rogue DHCP server at a Starbucks would make this threat a reality. I'm just really curious how they're able to prevent encryption of traffic between your network interface and the VPN provider through the means of routing in order to snoop. Need to read up more on this. Ugh.
 

This has always been a consideration with OpenVPN especially, as the jump from kernel to userspace has always been problematic... the fact that OpenVPN is portable as an application puts it at risk of the host OS...

Same would go with many of the SSL-VPN approaches - GlobalConnect, etc...

L2TP-IPsec and WG work at a network interface level at Layer 2. I'm not seeing an issue there directly, however, going into a public VPN provider is always a risk.

TunnelVision_Dataflow_Diagram_VPN_Linux_Host.png
 
I wonder if there's a way to catch something like this in the act... it should be highly usual for DHCP to change your routes. Just need to something to catch it in the act, deny it, and keep existing routes in place.
 
I wonder if there's a way to catch something like this in the act... it should be highly usual for DHCP to change your routes. Just need to something to catch it in the act, deny it, and keep existing routes in place.

It's always been there at a carrier level...

Content Optimization is one thing, but it's also CSAM (kiddie porn) - not saying that carriers are curating content, and CALEA also comes into play if warranted...

Thing is - VPN's at Layer 3 were NEVER private - whether it was Citrix or Sandvine - that was their reason for being...

Think items like the GreatFirewall of China - same stuff happens outside of the PRC...
 
If I understand the original issue and the above referenced .pdf.

It would appear that a possible solution would be to access 'your' dns resolver through the vpn connection *only* & block any other access to dns outside of the vpn connection.
Any attempt to use an 'outside' dns resolver should/would get no reply ..... for maximum safety the vpn client, on detecting the 'outside' dns resolution attempt/reply, would drop and remake the vpn connection to establish a 'clean' connection setup.

This of course means that the vpn client needs to be changed to monitor dns traffic & the routes taken.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top