Anonymous Anonymity: combating IP leaks in browsers, OS, VPN Hi colleagues:-)! It’s been a while since I wrote! And let’s talk about the mythical anonymity on the net. In the last few years, I came across several scenarios of user de-anonymization and I adopted them. In this post I will cover those scenarios. I’ll cover the real IP and traffic leaks when using VPNs, sockets, proxy servers and how you can protect against them. In general, I’m a fan of Tails and TOR :-).
VPN traffic and IP leakage on connection failure.
One of the main problems with private virtual networks is traffic leakage. In other words, traffic that was supposed to be transmitted through the VPN connection in an anonymous form ends up in the public domain. This scenario is not the result of a client or server problem. In fact it’s much more interesting. The most trivial scenario is that the VPN connection is broken. For instance, you decided to check the SSH or FTP list, launched the scanner, went away to mind your own business for several minutes, then come back and suddenly the connection is broken. But the checker/scanner still works and works from your real address.
What to do in this case?
To avoid traffic leakage and real IP while preserving your anonymity, in situations where a VPN connection is suddenly severed, try:
1. make all traffic go through VPN by removing the default gateway, because if VPN crashes, all compromising traffic will go through it:
route delete 0.0.0.0 192.168.1.1 // удаляем default gateway
route add 22.214.171.124 mask 255.255.255.255 192.168.1.1 metric 1
2. use VPNetMon utility(https://vpnetmon.webs.com/), which will help monitor the state of VPN connection and, as soon as it fails, instantly terminate user-specified programs, such as web browsers, ssh- e-mail- ftp-checkers, virtualization clients, torrent clients. 3. You can also use the VPNCheck utility(https://www.guavi.com/vpncheck_free.html), which, depending on the settings, can completely disable the network card, cutting off all communication with the outside world) or terminate the desired processes.
VPN traffic and IP leakage in IPv6 and IPv4 networks.
But there are more insidious traps. For example, VPN traffic leakage is quite common on hosts that support both IPv6 and IPv4.
The co-existence of the two protocols can lead to a rather unpleasant situation of traffic leakage bypassing the VPN tunnel and revealing the real IP. In spite of the fact that the sixth protocol version is not backward compatible with the fourth protocol version, both versions are glued by domain names (DNS). A simple example: We have a domain name for a web service or site that has simultaneously written A record (IPv4 host address) and AAAA record (IPv6 host record). Further, when our software supporting both protocols or only IPv6 (browser, checker, scanner, etc.) want to start interacting with the site, it may ask for any address from prescribed and will start sending packets on received address and on appropriate protocol.
And now the birdie will fly out 🙁 Many VPN implementations do not know how to handle IPv6 protocol, or ignore it. VPN client forwards all packets with IPv4 address through its tunnel, but packets with IPv6 address in its header are simply ignored or not recognized… The result is that if a domain has only IPv6 address, traffic will go through local router in clear form from real IP. Caramba, we work in mesh via VPN, but traffic goes via different ways not provided by us! Again, the main reason lies in the fact that although the two protocols are incompatible with each other, they are supported by the domain name system. It turns out that for a system that supports both protocols, it is impossible to provide a secure connection to another system without securing both IPv4 and IPv6.
Provoking deliberate traffic leakage.
An attacker can specifically invoke a sixth protocol connection on a victim computer by sending ICMPv6 Router Advertisement messages. Similar data packets can be sent via rtadvd ( https://www.gsp.com/cgi-bin/man.cgi?s8topic=rtadvd ), SI6 Networks IPv6 Toolkit(https://www.si6networks.com/tools/ipv6toolkit/ )or THC-IPv6(https://thc.org/download.php?t=rf=thc-ipv6-2.1.tar.gz ), resulting in a successful ipv6 connection to leak traffic and data, intercepting them further by MITM attack.
What to do in this case?
To send all traffic through a VPN connection, then it is worth doing the following:
If the IPv6 VPN is not supported by the client, you must disable the sixth version of the protocol on all available network interfaces. Then, all applications active on the network will have no choice but to use IPv4 protocol. !!! Uncheck the IPv6 checkbox on your network! In case IPv6 is supported on the VPN client it is worth making sure that all transmitted traffic is sent over the VPN.
Now check yourself!
Check your configuration vulnerability for data leakage through www.dnsleaktest.com, then apply the tips in this article to clean up DNS traffic leakage.
Browser traffic leak via WebRTC.
The thing is that all modern browsers contain the malicious WebRTC technology. And it is already enabled by default. What is it?
WebRTC ( https://ru.wikipedia.org/wiki/WebRTC ) is an open source project designed to stream data between browsers or other point-to-point applications. WebRTC has been implemented in Google Chrome since version 17, Opera since version 12 and Firefox since version 18.
The danger lies in the fact that if you use this protocol, your real IP address is visible, even though you are using VPN, TOR, socks, proxy.
Help! WebRTC is NOT a big threat to those who sit behind a NAT, router, i.e. most, but the internal IP will show up anyway.
How to get tested and cured?
-If you are currently using a VPN connection and you have WebRTC enabled, it will show two IP addresses, the first IP is your VPN, the second is your network card. If you disable WebRTC, only one IP will be displayed.
In the Firefox browser, type About: config, find the media.peerconnection.enabled parameter and set it to FALSE.
For Google Chrome, download the WebRTC Block extension and add the WebRTC Control plugin to it.
After all the work is done, check the quality of fixing the problem at https://whoer.net/extended And also remove Flash and Java with roots!
In the case of these technologies, the hole is even deeper than in the previous examples, so let’s not look into it and just uproot these weeds for our own sake! You can check for Flash leaks via https://2ip.ru/privacy/ and a similar service https://ip-check.info/.
It so happens that at the mention of VPN, Socks, TOR immediately comes to mind the security and anonymity of data. Users use VPN in cases when they want to hide their real location or hide their traffic from the “eyes” of the provider. But in fact it turns out that the transmitted traffic is quite easy to recognize, and sometimes it is transmitted in the open, due to the user’s inattention. So don’t be complacent, keep your connections secure and anonymous, control your anonymity.
And thank you if you’ve finished this piece of writing!