A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients

Open access


Commercial Virtual Private Network (VPN) services have become a popular and convenient technology for users seeking privacy and anonymity. They have been applied to a wide range of use cases, with commercial providers often making bold claims regarding their ability to fulfil each of these needs, e.g., censorship circumvention, anonymity and protection from monitoring and tracking. However, as of yet, the claims made by these providers have not received a sufficiently detailed scrutiny. This paper thus investigates the claims of privacy and anonymity in commercial VPN services. We analyse 14 of the most popular ones, inspecting their internals and their infrastructures. Despite being a known issue, our experimental study reveals that the majority of VPN services suffer from IPv6 traffic leakage. The work is extended by developing more sophisticated DNS hijacking attacks that allow all traffic to be transparently captured.We conclude discussing a range of best practices and countermeasures that can address these vulnerabilities

[1] “Global surveillance disclosures (2013-present),” http://en. wikipedia.org/wiki/Global_surveillance_disclosures_(2013- present).

[2] R. Clayton, S. J. Murdoch, and R. N. Watson, “Ignoring the Great Firewall of China,” in Proceedings of the 6th Workshop on Privacy Enhancing Technologies. Springer, 2006, LNCS vol. 4258, pp. 20-35.

[3] S. Khattak, M. Javed, S. A. Khayam, Z. A. Uzmi, and V. Paxson, “A Look at the Consequences of Internet Censorship Through an ISP Lens,” in Proceedings of the 14th Conference on Internet Measurement. ACM, 2014, pp. 271-284.

[4] C. Abdelberi, T. Chen, M. Cunche, E. Decristofaro, A. Friedman, M. A. Kaafar et al., “Censorship in the Wild: Analyzing Internet Filtering in Syria,” in Proceedings of the 14th Conference on Internet Measurement. ACM, 2014, pp. 285-298.

[5] R. Dingledine, N. Mathewson, and P. Syverson, “Tor: The second-generation Onion Router,” in Proceedings of the 13th USENIX Security Symposium. USENIX Association, 2004, pp. 303-320.

[6] R. Stedman, K. Yoshida, and I. Goldberg, “A user study of off-the-record messaging,” in Proceedings of the 4th Symposium on Usable Privacy and Security. ACM, 2008, pp. 95-104.

[7] “Whispersystems,” https://whispersystems.org.

[8] “BestVPN,” https://www.bestvpn.com.

[9] “Ultrasurf: the definitive review,” https://blog.torproject.org/ blog/ultrasurf-definitive-review.

[10] “Five Best VPN Service Providers,” http://lifehacker.com/ 5935863/five-best-vpn-service-providers, 2014.

[11] “10 Reasons to Use a VPN for Private Web Browsing,” http: //netforbeginners.about.com/od/readerpicks/tp/Reasons-to- Use-a-VPN-Service.htm.

[12] “Naked Security Blog: What is your phone saying behind your back?” http://nakedsecurity.sophos.com/2012/10/02/ what-is-your-phone-saying-behind-your-back.

[13] “Firesheep,” http://en.wikipedia.org/wiki/Firesheep.

[14] “Session hijacking,” http://en.wikipedia.org/wiki/Session_ hijacking.

[15] N. Sastry, J. Crowcroft, and K. R. Sollins, “Architecting Citywide Ubiquitous Wi-FiAccess,” in 6th Workshop on Hot Topics in Networks. ACM, 2007.

[16] “5 Best VPNs in China,” http://www.bestvpn-china.com/blog/ 9690/5-best-vpns-in-china-2014-update/.

[17] J. Appelbaum, M. Ray, K. Koscher, and I. Finder, “vpwns: Virtual pwned networks,” in 2nd USENIX Workshop on Free and Open Communications on the Internet. USENIX Association, 2012.

[18] M. Marlinspike, “Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate,” https://www.cloudcracker.com/ blog/2012/07/29/cracking-ms-chap-v2, 2012.

[19] F. Gont, “Virtual Private Network (VPN) traffic leakages in dual-stack hosts/networks,” 2012.

[20] “Best VPN: 4 ways to prevent a DNS leak when using VPN,” https://www.bestvpn.com/blog/5184/4-ways-to-prevent-adns- leak-when-using-vpn.

[21] A. Serjantov and P. Sewell, “Passive attack analysis for connection-based anonymity systems,” in Proceedings of the 8th European Symposium on Research in Computer Security. Springer, 2003, LNCS vol. 2808, pp. 116-131.

[22] B. N. Levine, M. K. Reiter, C. Wang, and M. Wright, “Timing attacks in low-latency mix systems,” in Proceedings of the 8th International Conference on Financial Cryptography. Springer, 2004, LNCS vol. 3110, pp. 251-265.

[23] S. J. Murdoch and P. Zieli ´ nski, “Sampled traffic analysis by internet-exchange-level adversaries,” in Proceedings of the 7th Privacy Enhancing Technologies Symposium. Springer, 2007, LNCS vol. 4776, pp. 167-183.

[24] A. Johnson, C. Wacek, R. Jansen, M. Sherr, and P. Syverson, “Users get routed: Traffic correlation on Tor by realistic adversaries,” in Proceedings of the 2013 Conference on Computer & Communications Security. ACM, 2013, pp. 337-348.

[25] R. Dingledine, N. Hopper, G. Kadianakis, and N. Mathewson, “One fast guard for life (or 9 months),” in 7th Workshop on Hot Topics in Privacy Enhancing Technologies. HotPETs, 2014.

[26] R. Dingledine and N. Mathewson, “Anonymity Loves Company: Usability and the Network Effect,” in 5th Workshop on the Economics of Information Security, 2006.

[27] T. Elahi, K. Bauer, M. AlSabah, R. Dingledine, and I. Goldberg, “Changing of the guards: A framework for understanding and improving entry guard selection in Tor,” in Proceedings of the 2012 ACM Workshop on Privacy in the Electronic Society. ACM, 2012, pp. 43-54.

[28] “Tor Project Blog: Improving Tor’s anonymity by changing guard parameters,” https://blog.torproject.org/blog/improvingtors- anonymity-changing-guard-parameters, 2013.

[29] “Tor Project Blog: Traffic correlation using netflows,” https: //blog.torproject.org/blog/traffic-correlation-using-netflows, 2014.

[30] B. Schneier, D. Wagner et al., “Cryptanalysis of Microsoft’s PPTP Authentication Extensions (MS-CHAPv2),” in Secure Networking - CQRE (Secure). Springer, 1999, LNCS vol. 1740, pp. 192-203.

[31] J. Czyz, M. Allman, J. Zhang, S. Iekel-Johnson, E. Osterweil, and M. Bailey, “Measuring IPv6 Adoption,” in Proceedings of the 2014 ACM Conference on SIGCOMM. ACM, 2014, pp. 87-98.

[32] C. Metz, “Protocol independence using the sockets API,” in FREENIX Track, 2000 USENIX Annual Technical Conference. USENIX Association, 2000.

[33] “Happy Eyeballs: Success with Dual-Stack Hosts,” http:// tools.ietf.org/html/rfc6555.

[34] “THC-IPV6 Attack Toolkit,” https://www.thc.org/thc-ipv6/ README.

[35] “Hurricane Electric Free IPv6 Tunnel Broker,” https://www. tunnelbroker.net/.

[36] A. Dhamdhere, M. Luckie, B. Huffaker, A. Elmokashfi, E. Aben et al., “Measuring the deployment of IPv6: topology, routing and performance,” in Proceedings of the 12th Conference on Internet Measurement. ACM, 2012, pp. 537-550.

[37] B. Miller, L. Huang, A. D. Joseph, and J. D. Tygar, “I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis,” in Proceedings of the 14th Privacy Enhancing Technologies Symposium. Springer, 2014, LNCS vol. 8555, pp. 143-163.

[38] S. Chen, R. Wang, X. Wang, and K. Zhang, “Side-channel leaks in web applications: A reality today, a challenge tomorrow,” in Proceedings of the 2010 IEEE Symposium on Security and Privacy. IEEE, 2010, pp. 191-206.

[39] M. Marlinspike, “sslstrip,” http://www.thoughtcrime.org/ software/sslstrip/.

[40] B. Krishnamurthy and C. E. Wills, “Generating a privacy footprint on the Internet,” in Proceedings of the 6th Conference on Internet Measurement. ACM, 2006, pp. 65-70.

[41] B. Krishnamurthy, D. Malandrino, and C. E. Wills, “Measuring Privacy Loss and the Impact of Privacy Protection in Web Browsing,” in Proceedings of the 3rd Symposium on Usable Privacy and Security. ACM, 2007, pp. 52-63.

[42] B. Krishnamurthy and C. Wills, “Privacy diffusion on the Web: a longitudinal perspective,” in Proceedings of the 18th International Conference on World Wide Web. ACM, 2009, pp. 541-550.

[43] “Alexa Top Sites,” http://www.alexa.com/.

[44] “Selenium WebDriver,” http://www.seleniumhq.org.

[45] “Google Play Unofficial Python API,” https://github.com/ egirault/googleplay-api.

[46] N. Viennot, E. Garcia, and J. Nieh, “A Measurement Study of Google Play,” in Proceedings of the 2014 ACM International Conference on Measurement and Modeling of Computer Systems. ACM, 2014, pp. 221-233.

[47] C. Castelluccia, M.-A. Kaafar, and M.-D. Tran, “Betrayed by Your Ads!” in Proceedings of the 12th Privacy Enhancing Technologies Symposium. Springer, 2012, LNCS vol. 7384, pp. 1-17.

[48] “IPv6-enabled BitTorrent Peers,” https://www.vyncke.org/ ipv6status/p2p.php.

[49] M. Defeche, “Measuring IPv6 Traffic in BitTorrent Networks,” 2012, IETF Internet Draft.

[50] “DNS Processes and Interactions,” https://technet.microsoft. com/en-us/library/dd197552(v=ws.10).aspx.

[51] “OpenVPN,” https://openvpn.net/index.php/open-source.html.

[52] A. Herzberg and H. Shulman, “Retrofitting Security into Network Protocols: The Case of DNSSEC,” Internet Computing, IEEE, vol. 18, no. 1, pp. 66-71, 2014.

[53] “Security Enhancements in Android 4.4,” http://forum.xdadevelopers. com/showpost.php?p=48703545.

[54] Y. Elkhatib, G. Tyson, and M. Welzl, “Can SPDY Really Make the Web Faster?” in Proceedings of the IFIP Networking 2014 Conference, 2014, pp. 1-9.

[55] “Tor Project: TorifyHOWTO,” https://trac.torproject.org/ projects/tor/wiki/doc/TorifyHOWTO.

[56] “Tor Project Blog: Bittorrent over Tor isn’t a good idea,” https: //blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea.

[57] “Tails: The Amnesic Incognito Live System,” https://tails. boum.org.

[58] “Whonix Operating System,” https://www.whonix.org/wiki/ About.

[59] L. Fazal, S. Ganu, M. Kappes, A. S. Krishnakumar, and P. Krishnan, “Tackling security vulnerabilities in VPN-based wireless deployments,” in 2004 IEEE International Conference on Communications, vol. 1. IEEE, 2004, pp. 100-104.

[60] F. Gont and W. Liu, “Security Implications of IPv6 on IPv4 Networks,” 2014, RFC 7123.

[61] L. Olejnik, C. Castelluccia, A. Janc et al., “Why Johnny can’t browse in peace: On the uniqueness of Web browsing history patterns,” in 5th Workshop on Hot Topics in Privacy Enhancing Technologies, 2012.

[62] D. Perito, C. Castelluccia, M. A. Kaafar, and P. Manils, “How unique and traceable are usernames?” in Proceedings of the 11th Privacy Enhancing Technologies Symposium. Springer, 2011, LNCS vol. 6794, pp. 1-17.

[63] P. Eckersley, “How unique is your Web Browser?” in Proceedings of the 10th Privacy Enhancing Technologies Symposium. Springer, 2010, LNCS vol. 6205, pp. 1-18.

Journal Information


All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 332 332 60
PDF Downloads 164 164 46