Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target’s traffic off of the protection provided by their VPN without triggering any alerts to the user.
Image: Shutterstock.
When a device initially tries to connect to a network, it broadcasts a message to the entire local network stating that it is requesting an Internet address. Normally, the only system on the network that notices this request and replies is the router responsible for managing the network to which the user is trying to connect.
The machine on a network responsible for fielding these requests is called a Dynamic Host Configuration Protocol (DHCP) server, which will issue time-based leases for IP addresses. The DHCP server also takes care of setting a specific local address — known as an Internet gateway — that all connecting systems will use as a primary route to the Web.
VPNs work by creating a virtual network interface that serves as an encrypted tunnel for communications. But researchers at Leviathan Security say they’ve discovered it’s possible to abuse an obscure feature built into the DHCP standard so that other users on the local network are forced to connect to a rogue DHCP server.
“Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway,” Leviathan researchers Lizzie Moratti and Dani Cronce wrote. “When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.”
The feature being abused here is known as DHCP option 121, and it allows a DHCP server to set a route on the VPN user’s system that is more specific than those used by most VPNs. Abusing this option, Leviathan found, effectively gives an attacker on the local network the ability to set up routing rules that have a higher priority than the routes for the virtual network interface that the target’s VPN creates.
“Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface,” the Leviathan researchers said. “This is intended functionality that isn’t clearly stated in the RFC [standard]. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.”
Leviathan found they could force VPNs on the local network that already had a connection to arbitrarily request a new one. In this well-documented tactic, known as a DHCP starvation attack, an attacker floods the DHCP server with requests that consume all available IP addresses that can be allocated. Once the network’s legitimate DHCP server is completely tied up, the attacker can then have their rogue DHCP server respond to all pending requests.
“This technique can also be used against an already established VPN connection once the VPN user’s host needs to renew a lease from our DHCP server,” the researchers wrote. “We can artificially create that scenario by setting a short lease time in the DHCP lease, so the user updates their routing table more frequently. In addition, the VPN control channel is still intact because it already uses the physical interface for its communication. In our testing, the VPN always continued to report as connected, and the kill switch was never engaged to drop our VPN connection.”
The researchers say their methods could be used by an attacker who compromises a DHCP server or wireless access point, or by a rogue network administrator who owns the infrastructure themselves and maliciously configures it. Alternatively, an attacker could set up an “evil twin” wireless hotspot that mimics the signal broadcast by a legitimate provider.
ANALYSIS
Bill Woodcock is executive director at Packet Clearing House, a nonprofit based in San Francisco. Woodcock said Option 121 has been included in the DHCP standard since 2002, which means the attack described by Leviathan has technically been possible for the last 22 years.
“They’re realizing now that this can be used to circumvent a VPN in a way that’s really problematic, and they’re right,” Woodcock said.
Woodcock said anyone who might be a target of spear phishing attacks should be very concerned about using VPNs on an untrusted network.
“Anyone who is in a position of authority or maybe even someone who is just a high net worth individual, those are all very reasonable targets of this attack,” he said. “If I were trying to do an attack against someone at a relatively high security company and I knew where they typically get their coffee or sandwich at twice a week, this is a very effective tool in that toolbox. I’d be a little surprised if it wasn’t already being exploited in that way, because again this isn’t rocket science. It’s just thinking a little outside the box.”
Successfully executing this attack on a network likely would not allow an attacker to see all of a target’s traffic or browsing activity. That’s because for the vast majority of the websites visited by the target, the content is encrypted (the site’s address begins with https://). However, an attacker would still be able to see the metadata — such as the source and destination addresses — of any traffic flowing by.
KrebsOnSecurity shared Leviathan’s research with John Kristoff, founder of dataplane.org and a PhD candidate in computer science at the University of Illinois Chicago. Kristoff said practically all user-edge network gear, including WiFi deployments, support some form of rogue DHCP server detection and mitigation, but that it’s unclear how widely deployed those protections are in real-world environments.
“However, and I think this is a key point to emphasize, an untrusted network is an untrusted network, which is why you’re usually employing the VPN in the first place,” Kristoff said. “If [the] local network is inherently hostile and has no qualms about operating a rogue DHCP server, then this is a sneaky technique that could be used to de-cloak some traffic – and if done carefully, I’m sure a user might never notice.”
MITIGATIONS
According to Leviathan, there are several ways to minimize the threat from rogue DHCP servers on an unsecured network. One is using a device powered by the Android operating system, which apparently ignores DHCP option 121.
Relying on a temporary wireless hotspot controlled by a cellular device you own also effectively blocks this attack.
“They create a password-locked LAN with automatic network address translation,” the researchers wrote of cellular hot-spots. “Because this network is completely controlled by the cellular device and requires a password, an attacker should not have local network access.”
Leviathan’s Moratti said another mitigation is to run your VPN from inside of a virtual machine (VM) — like Parallels, VMware or VirtualBox. VPNs run inside of a VM are not vulnerable to this attack, Moratti said, provided they are not run in “bridged mode,” which causes the VM to replicate another node on the network.
In addition, a technology called “deep packet inspection” can be used to deny all in- and outbound traffic from the physical interface except for the DHCP and the VPN server. However, Leviathan says this approach opens up a potential “side channel” attack that could be used to determine the destination of traffic.
“This could be theoretically done by performing traffic analysis on the volume a target user sends when the attacker’s routes are installed compared to the baseline,” they wrote. “In addition, this selective denial-of-service is unique as it could be used to censor specific resources that an attacker doesn’t want a target user to connect to even while they are using the VPN.”
Moratti said Leviathan’s research shows that many VPN providers are currently making promises to their customers that their technology can’t keep.
“VPNs weren’t designed to keep you more secure on your local network, but to keep your traffic more secure on the Internet,” Moratti said. “When you start making assurances that your product protects people from seeing your traffic, there’s an assurance or promise that can’t be met.”
A copy of Leviathan’s research, along with code intended to allow others to duplicate their findings in a lab environment, is available here.
Would be interested to understand what effect this has on Apple+ Private Relay running on iOS and macOS.
Apple+ private relay is, as far as I understand it, web proxies. Not VPN or VPN like.
Thus I would assume it would still be just as secure. Of course the bad guys would see you are trying to use Apple+ Relay.
But the obvious choice as a hacker would be to generate routes to subnets not including RFC-1918 addresses. Then most VPNs towards company resources would still work.
As a user, you should use DNS over HTTPS, and a proxy server with 2-way encryption / authentication. Then your web traffic would be tunnelled
The VPN is really there for other purposes. It was designed to reach internal resources/small subnets, to which nobody else has access. Thus if somebody announces a 10.0.0.0/8 route, your would lose your access to the protected resourced.
I’m not looking forward to how my company’s security division will react to this. Of course, the real question is how long ago hackers figured out this weakness. Great reporting, Brian.
I’ve reached out to Proton to ask about this in ProtonVPN.
That’s what I use too. I have to wonder if a VPN is worth bothering with.
Of course, the BIG insecurity with VPNs is that you are trusting the VPN vendor. It sees all of your traffic, totally unencrypted. For a free VPN, consider the basic Internet rule: if you’re not paying, you’re not the customer; you must be the merchandise.
You do realize a VPN does not always mean a service bought or gotten free of monetary chargefrom an obscure vendor to “hide from spying on the Internet”? That millions of people use a VPN for work, set up by their employer for the purpose of securely accessing their employer’s internal resources?
This compromises routing-based VPNs, which set up routing rules to direct traffic through a virtual VPN interface rather than through the usual physical network interface. The compromise uses DHCP Option 121 to modify the routing table by adding more-specific routes than those set up by the VPN. Because more-specific routes have higher priority when routing, they are used to route traffic for specific IP addresses or address ranges through the physical network interface instead of through the VPN, thus exposing the traffic.
Would it be possible to write a program to examine the routing table after each DHCP renewal, detect such situations, and alert the user and/or delete the more-specific routes? (That would require knowledge of exactly how the VPN software sets up the routing, which might only be known to the VPN software itself.)
Is this the down fall of internet threats?
My father told me many years ago that there was never a safe built that man could not get into. Forward many years and we see the same thing with the digital communication. The biggest problem is people doing unsafe things by going places not secure, even so called secure places could be compromised. This is the new world so we have to be aware what we do
This will only work if the client-to-site VPN provider’s network is compromised or, in the case of work-based VPNs, your corporate network has already been compromised. Even then, it is much more complex than shown above when dealing with Internet IP addressing/routing and/or client-to-site VPN devices (appliances).
DHCP, a BROADCAST protocol by nature, is unable to extend beyond the local network range without the inclusion of helper statements on a routing device. In the context of client-to-site VPNs, DHCP is typically managed by the same VPN concentrator, firewall, SSL VPN concentrator, or other client-to-site VPN device (appliances). These devices issue a DHCP lease only after proper authentication, and the DHCP request is transmitted solely during the tunnel build, never on the local network .
If your provider is not following this Network Security 101 best practice, then use at your own risk.
I feel like I’m missing something here between all the panic I see going on across various talking heads. My VPN client connects to my VPN concentrator to establish a full tunnel connection and both auth via strong mechanisms to each other (two factor with physical tokens), wtf do I care if the full local network has been compromised, that’s the entire point of why we use VPNs, because we expect local compromised networks. I’m pretty sure Tor doesn’t care either.
If you are sure that your VPN concentrator is being strongly authenticated then this vulnerability does not apply to you
You power up your laptop in your local network. It receives a DHCP assignment from the compromised DHCP server, using option 121 to set itself as a gateway, with all traffic routed to the DHCP server. You kick off your VPN client, and it goes through the DHCP server as gateway to get to your VPN provider. You are authenticated and the tunnel is established. You bring up a browser and navigate to a site of your choosing, but you laptop is now configured to send all traffic directly to the DHCP server as gateway, not to the VPN-provided gateway that is normally there for the virtual interface on your laptop. All your network traffic goes through the DHCP server, but not through your VPN tunnel. You have the tunnel and all your traffic going through the DHCP server, but your traffic is not taking the tunnel.
When you say “afull tunnel connection…” you’re really saying “a secure mechanism to send default IP traffic to.”
DHCP Option 121 allows the DHCP server (or a rogue one) to give your routing kernel MORE SPECIFIC ROUTES, and the way IP route selection works, the most specific routes are used. The default route (the one through your “full tunnel connection”) is the ROUTE OF LAST RESORT.
To make this clear in an example. You connect your “full tunnel connection” and now have a default route, or ROUTE OF LAST RESORT through that tunnel. You also have a local route from the address you got at the coffeeshop to the coffeeshop router. If you didn’t have that, once the VPN came up your routing kernel would no longer know how to talk to the net… and the VPN would drop, rinse, repeat.
DHCP option 121 allows adding a route for you to, say, whatever IP http://www.bankofamerica.com is. That means for all traffic other than that going to http://www.bankofamerica.com‘s IP you’ll go through the default route and the VPN. But if you go to the BofA one… it will go to the destination the option 121 route gave you, on the local coffeeshop LAN, where it can be intercepted, stored, forwarded, so you think you’re going through the tunnel, but you’re not.
I hope that helps.
2 cents, can’t this be disabled via gpo, rules or manually turned off,
this dhcp option 121 like LMHost without breaking any dependencies?
same with any virtual dhcp on vital servers or vip devices?
If this is needed for whatever reason put a canary checker on this when activated.
I wonder whether VPN services which offer Dedicated IP (such as NordVPN) would be less vulnerable, since, it seems, there seem to be no other users who’d have the capability to share the same user- and IP Address-space.
My friend bought his laptop from Best Buy and I think they sold the same IP address to both of us.
For the uninitiated it’s important to note; as advised on other forums;
” it’s important to clarify the use of the term “VPN” here. This affects “VPNs” used for anonymizing internet traffic or for geofence defeating on streaming services and such. It should not impact VPNs used to access private networks via the Internet.
For example, if you use a VPN to connect to your home network and access machines inside your LAN that are not directly exposed to the internet, this won’t affect that at all. It only affects VPN setups that redirect all Internet traffic via the VPN.
You may also be able to partially defeat it by not using a /0 route. You could instead do four routing entries with /2 networks. Of course, if the hacker sets up their network the same way, this could also be defeated. “
One has to understand, why would anyone want to crack your VPN network? What is it that they are so enthralled with? Your porn watching habits perhaps? Or do you think big brother is watching you all the time, trying to conjure up something to arrest you for something, while going about your boring daily existence. Are you so vain to think your social media (there’s nothing social about social media BTW) presence has national security consequences? Me, I’m an old man who just reads the news, places bets on the stock market and orders a lot of stupid stuff via amazon . I peruse the internet daily, bemoaning the stupidity and arrogance of youth, of politicians (at least as the media portrays them), and the waste of words and bandwidth the media spends on the Kadasians and Markle. God help us. I have little to hide, just that bank account in the Bahamas, from the IRS. Lol.
Your “why hide?” question is what many people ask when they don’t understand the actual threats. Collection of data allows for various things… marketing, deceptive marketing, guessing of behavior and passwords, impersonation, framing people for things they didn’t do, possibly breaking into their accounts, impersonation (even better with access to their accounts), re-selling their information and accounts, and so on. Just because normal people aren’t interesting does not mean they are worthless for attacks, extortion, or stealing their info/accounts. For some attackers, the point would not be to target and circumvent VPN traffic but to prevent it from working whether a target uses a VPN or not.
For a comparison, some people say that if a robber wants to get in your house, they can. Most people don’t leave their doors open with signs on their front walls saying that their doors are unlocked because SOME security is better than allowing every bad thing to happen because it could happen.
Most people that use VPNs are perverts and criminals. Not everyone that uses a VPN is a pervert or a criminal, but almost all criminals use a VPN. If someone says to me that they are using a VPN I assume they are doing something illegal. I didn’t hire someone a few months ago because I saw he had Mullvad when he shared his screen so I knew the kinds of things he was doing
“I didn’t hire someone a few months ago because I saw he had Mullvad when he shared his screen”
I hope you don’t work in Cyber Security, because if you do, sadly that is your loss. Anyone who uses a VPN in their home environment, in my eyes, is someone who takes their personal/private security seriously. And by that logic they would bring that mindset into their workplace, which is a good thing. Not everyone has criminal intent. You are making ignorant assumptions to your own detriment. Sigh.
For E Fromme and similar users, your “why hide?” question is what many people ask when they don’t understand the actual threats. Collection of data allows for various things… marketing, deceptive marketing, guessing of behavior and passwords, impersonation, framing people for things they didn’t do, possibly breaking into their accounts, impersonation (even better with access to their accounts), re-selling their information and accounts, and so on. Just because normal people aren’t interesting does not mean they are worthless for attacks, extortion, or stealing their info/accounts. Even boring people may have accounts, friends, relatives, and jobs. For some attackers, the point would not just be to target and circumvent VPN traffic but to prevent such a VPN from working whether a target uses a VPN or not.
Considering this other cliche, some people say that if a robber wants to get in your house, they can get in. Most people don’t leave their doors open with signs on their front walls saying that their doors are unlocked because SOME security is better than ALLOWING every bad thing to happen because it COULD happen. Similarly, the recommendations to disable adblock, disable firewalls, and uninstall antivirus programs because they “get in the way” are (to me) recommendations to play in traffic, with sick and stupid friends, never wearing a mask, and to do other dangerous pranks, and generally have no regard for safety because being smart is “inconvenient”. Any person or company that prevents the use of protections like adblock is an advocate for information misuse and (knowingly or not) is willing to sacrifice user privacy and safety for the profits and happiness of their webmasters and advertising associates. Attacks in simple web traffic (with web pages and such) include cross-site exploits and attacks directly on browsers, which ad-hosts can knowingly or unknowingly publish.
well said NotREally InFRance
the borg is real
please give a TED talk and award yourself a medal of honor
your kids will thank you for making the world a better place
please give a TED talk and award yourself a medal of honor,
the future will thank you for making the world a better place
Isn’t this resolved by setting static addresses that don’t expire? If all the devices on the network are on static addresses how would someone cause DHCP renewal?
Static addresses can be cloned or man in the middle. For vip users, use a yubi key with assigned static ip with mac address then static ip address lease time outs. So when they need complain about not being about to connect only reconnect via direct verified phone conversation and checking of mac address filtering, dns check, reverse dns check.
Some VPN services I’ve find didn’t redirect DNS so even if they used the tunnel, they still made requests to the provider or whomever the system DNS used.
Also, don’t think a VPN offers privacy. As soon as you launch a browser or apps on your phone lots of data is shared and a VPN doesn’t protect that.
Last and most important. If your company uses a containerized approach to BYOD that approach also may use a VPN to decide how to route traffic. However, traffic like to O365 could go direct so any app defined in the BYOD service regardless of using the container’s VPN or not will NOT use you private VPN and will send out traffic directly. I verified this on my phone as still rely on the BlackBerry UEM services
Can’t we use DHCP snooping and Dynamic arp inspection to secure the network from such attack. it worked well to protect the network from malicious actor. In addition we can use mac-address-sticky as well so that no one can a rogue device on the network.
>> Successfully executing this attack on a network likely would not allow an attacker to see all of a target’s traffic or browsing activity. That’s because for the vast majority of the websites visited by the target, the content is encrypted (the site’s address begins with https://). However, an attacker would still be able to see the metadata — such as the source and destination addresses — of any traffic flowing by.
To be boringly pedantic, this isn’t entirely true. The attacker would be able to see the source and destination DOMAINS, but wouldn’t be able to see the “addresses”, as defined in this paragraph.
So, you’d be able to see that someone visited example.com but you don’t know if they visited example.com/krebs-is-nice or example.com/krebs-is-nasty . Domain names are *never* encrypted, even with HTTPS.
I now win the prize for the most pedantic post ever made.
You name option 121 an ‘obscure feature’. But it really is not obscure. Neither in the sense, that it is hidden nor in the sense, that it’s use is a warning sign or even unusual. It may be a rarely used, a rarely known feature. But it’s surely not obscure.
If you have several clients in a common address range, but this clients shall have different privileges, classless routing has very potent abilities. You could reach your goals by other means, you could use different address ranges – but when I first learned of option 121, it’s simplicity and elegance was simply convincing.
@ e fromme
Maybe your comment “Why would anyone want to crack your VPN network? What is it that they are so enthralled with?” was meant ironically. I just wanted to point out that there are many types of hackers, not just ones who go after your money. There are also hackers who are stalkers and think they own their victims and will go to extreme lengths to gain and maintain control over their victims machines, network and dataflow. As a victim of (group) cyber stalking, I experience the toll this takes on my life (or what’s left of it) every single day, including financial strain, social isolation and constant fear. And If I had the choice I’d prefer a hacker who’s after my money any day, instead of living this nightmare that just goes on endlessly. At least then a victim can prove something and there’s more dignity in being a thief than stalking a hacker inflicting mental en emotional cruelty just for the fun of it. So yes, there are definitely people who want to crack your VPN network. And for you security men and women trying to fix vulnerabilities like this. You do this stuff for people like me, your work matters and is important!
So the world revolves around No Data huh? So you’re a victim huh? What did you do to incur the wrath of a group od stalkers? Piss them off you did? Think long and hard before you use the internet to expound you opinions and beliefs. As the guy wrote, social media is not social. And no, you don’t have a God, or constitutional, given right to be free of criticism and hate on the internet.
@ E fromme; Maybe your comment “Why would anyone want to crack your VPN network? What is it that they are so enthralled with?” was meant ironically. I just wanted to point out that there are many types of hackers, not just ones who go after your money. There are also hackers who are stalkers and think they own their victims and will go to extreme lengths to gain and maintain control over their victims machines, network and data flow. As a victim of (group) cyber stalking, I experience the toll this takes on my life (or what’s left of it) every single day, including financial strain, social isolation and constant fear. And If I had the choice I’d prefer a hacker who’s after my money any day, instead of living this nightmare that just goes on endlessly. At least then a victim can prove something and there’s more dignity in being a thief than stalking a hacker inflicting mental en emotional cruelty just for the fun of it. So yes, there are definitely people who want to crack your VPN network. And for you security men and women fixing vulnerabilities like this, many thanks for your efforts! Your work is important especially for people like me.
For Mylifeinabox here, this is a sad but true example: someone knows about the issues while being (or because of being) a victim. Most people are probably happy being as blissfully ignorant as “E fromme”, with social media posts detailing their actual lives and trivial activities, real name on LinkedIn, posting their resumes in hopes of actual offers without worrying that they could be used as targets within their current companies, have their identities stolen, have their accounts breached because major companies and service providers mistake “public record” information for “private information suitable for identity verification”. As for data collection, the potential for misuse is unlimited and overlapping. If a group of tech thugs steals private information, they can use it for breaking into accounts, sell info for profit, and threaten the victim with the release of private info, known passwords, and reporting them for real/false/staged crimes.