Blind In/On-Path Attacks and Applications to VPNs

Abstract

Protecting network protocols within an encrypted tunnel,using technologies such as Virtual Private Networks (VPNs),is increasingly important to millions of users needing solu-tions to evade censorship or protect their traffic against in/on-path observers/attackers. In this paper, we present a series ofattacks from two threat models: an attacker that can injectspoofed packets into the network stack of a VPN client (calledclient-side), and an attacker that can spoof packets on the In-ternet and send them to a VPN server (called server-side). Inboth cases, we assume that the attacker is in/on-path, and cancount encrypted bytes or packets over time. In both threatmodels, we demonstrate attacks to infer the existence of, in-terfere with, or inject data into TCP connections forwardedthrough the encrypted VPN tunnel. In the server-side threatmodel, we also demonstrate an attack to hijack tunneled DNSqueries and completely remove the protections of the VPNtunnel. For the attacks presented in this paper, we (1) assesstheir feasibility in terms of packet rates and timing; (2) testtheir applicability against a broad range of VPN technologies,types, and vendors; and (3) consider practical issues with re-spect to real-world attacks. We followed an ethical disclosureprocess for all attacks presented in this paper. Client-side at-tacks were addressed with two CVEs and partially mitigatedby a series of updates from some operating system and VPNclient vendors. Server-side attacks have not been addressedand are still feasible with all operating systems and VPNservers that we tested.