Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,177
- Points
- 113
A group of researchers from Canadian and American universities has developed a Port Shadow attack technique that allows you to manipulate the address translation tables on the VPN server side to send a response to a request to another user connected to the same VPN server. This method can be used to intercept or redirect encrypted traffic, perform port scanning, and deanonymize VPN users. As an example, this method can be used to redirect DNS requests to the attacker's host from a user working through a VPN server that the attacker can connect to as a client.
To perform an attack, an attacker must be able to connect to the same VPN server as the victim, which is possible, for example,when using standard VPN operators and public VPN services that provide access to everyone. The vulnerability affects VPN servers that use address translation (NAT) to organize clients ' access to external resources, although the server must use the same IP address to receive traffic from clients and send requests to external sites.
The attack is based on the fact that by sending specially designed requests, an attacker connected to the same VPN server and using a common NAT can achieve distortion of the contents of the address translation tables, which will lead to the fact that packets addressed to one user will be sent to another user. In address translation tables, information about which internal IP address the sent request is mapped to is determined based on the source network port number used when sending the request. An attacker, by sending certain SYN and ACK packets and simultaneously manipulating the client connection to the VPN server and the external server controlled by the attacker, can cause a collision in the NAT table and add an entry with the same source port number, but associated with its local address, which will cause the responses to someone else's request will be returned to the attacker's address.
The study tested Linux and FreeBSD address translation systems in combination with OpenVPN, OpenConnect, and WireGuard VPNs. The FreeBSD platform was not affected by attack methods for redirecting requests made by other users connected to the same VPN. Substitution of NAT tables was performed only during an ATIP (Adjacent-to-In-Path) attack, in which the attacker can interfere with traffic between the user and the VPN server (for example, when the user connects to a Wi-Fi network controlled by the attacker) or between the VPN server and the target site. At the same time, NAT FreeBSD was also affected by an attack that allows you to determine whether a user is connected to a specific site (Connection Inference).
As for Linux, the Netfilter subsystem has been exposed to attacks by substituting entries in the address translation table, allowing you to redirect incoming packets to another user, achieve sending packets outside the encrypted VPN channel (Decapsulation), or determine open network ports on the client side.
As measures to block the attack, VPN providers are recommended to use adequate methods for randomizing source port numbers in NAT, limit the number of allowed simultaneous connections to the VPN server from one user, and block the client's ability to select a network port that accepts requests on the VPN server side.
According to a representative of Proton AG, the attack does not affect VPN services that use separate IP addresses for incoming and outgoing requests. In addition, there are doubts about the possibility of applying the attack to real VPN services, since a successful attack has so far been demonstrated only in laboratory tests and it requires certain conditions to be met on the side of the VPN server and the attacked client. In addition, the attack can only be useful for manipulating unencrypted requests, such as accessing DNS, while using TLS and HTTPS at the application level makes traffic redirection useless.
Attacks that manipulate address translation tables are applicable not only to VPNs, but also to wireless networks that use NAT to connect users to external resources on the access point. Last month, the results of a study on the possibility of conducting a similar attack to intercept TCP connections of other wireless network users were published. The attack method was applicable to 24 out of 33 tested wireless access points.
The attack proposed for Wi-Fi turned out to be much simpler than the above-mentioned method for VPNs, since due to the use of optimizations, many access points do not check the correctness of sequence numbers in TCP packets. As a result, the attack only needed to send a dummy RST packet to clear an entry in the address translation table, and then get a response sent to the attacker's host to determine the sequence numbers (SEQ) and confirmation (ACK) required to intercept the TCP connection.
To perform an attack, an attacker must be able to connect to the same VPN server as the victim, which is possible, for example,when using standard VPN operators and public VPN services that provide access to everyone. The vulnerability affects VPN servers that use address translation (NAT) to organize clients ' access to external resources, although the server must use the same IP address to receive traffic from clients and send requests to external sites.
The attack is based on the fact that by sending specially designed requests, an attacker connected to the same VPN server and using a common NAT can achieve distortion of the contents of the address translation tables, which will lead to the fact that packets addressed to one user will be sent to another user. In address translation tables, information about which internal IP address the sent request is mapped to is determined based on the source network port number used when sending the request. An attacker, by sending certain SYN and ACK packets and simultaneously manipulating the client connection to the VPN server and the external server controlled by the attacker, can cause a collision in the NAT table and add an entry with the same source port number, but associated with its local address, which will cause the responses to someone else's request will be returned to the attacker's address.
The study tested Linux and FreeBSD address translation systems in combination with OpenVPN, OpenConnect, and WireGuard VPNs. The FreeBSD platform was not affected by attack methods for redirecting requests made by other users connected to the same VPN. Substitution of NAT tables was performed only during an ATIP (Adjacent-to-In-Path) attack, in which the attacker can interfere with traffic between the user and the VPN server (for example, when the user connects to a Wi-Fi network controlled by the attacker) or between the VPN server and the target site. At the same time, NAT FreeBSD was also affected by an attack that allows you to determine whether a user is connected to a specific site (Connection Inference).
As for Linux, the Netfilter subsystem has been exposed to attacks by substituting entries in the address translation table, allowing you to redirect incoming packets to another user, achieve sending packets outside the encrypted VPN channel (Decapsulation), or determine open network ports on the client side.
As measures to block the attack, VPN providers are recommended to use adequate methods for randomizing source port numbers in NAT, limit the number of allowed simultaneous connections to the VPN server from one user, and block the client's ability to select a network port that accepts requests on the VPN server side.
According to a representative of Proton AG, the attack does not affect VPN services that use separate IP addresses for incoming and outgoing requests. In addition, there are doubts about the possibility of applying the attack to real VPN services, since a successful attack has so far been demonstrated only in laboratory tests and it requires certain conditions to be met on the side of the VPN server and the attacked client. In addition, the attack can only be useful for manipulating unencrypted requests, such as accessing DNS, while using TLS and HTTPS at the application level makes traffic redirection useless.
Attacks that manipulate address translation tables are applicable not only to VPNs, but also to wireless networks that use NAT to connect users to external resources on the access point. Last month, the results of a study on the possibility of conducting a similar attack to intercept TCP connections of other wireless network users were published. The attack method was applicable to 24 out of 33 tested wireless access points.
The attack proposed for Wi-Fi turned out to be much simpler than the above-mentioned method for VPNs, since due to the use of optimizations, many access points do not check the correctness of sequence numbers in TCP packets. As a result, the attack only needed to send a dummy RST packet to clear an entry in the address translation table, and then get a response sent to the attacker's host to determine the sequence numbers (SEQ) and confirmation (ACK) required to intercept the TCP connection.
