enable reverse path filtering

madaidan · December 5, 2019, 6:53pm

I am reporting a vulnerability that exists on most Linux distros, and other *nix operating systems which allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website. Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections.

At the end:

**Possible Mitigations:

Turning reverse path filtering on

I suggested to enable reverse path filtering in security-misc a while ago but Hulahoop pointed out that it might break VPNs in Whonix. I think it should be enabled by default but instructions to disable it for VPNs should be added to the wiki.

The link above does say that this attack doesn’t seem to work on Tor (although it hasn’t been tested much) and mitigation 3 is to add padding (which Tor does for connections to the guard node).

Patrick · December 5, 2019, 7:29pm

Good argument. Convinced. Yes, let’s harden by default. The cost of breaking VPNs by default is OK if we document how to unbreak VPNs in documentation (and Whonix News). Please send a pull request.

madaidan · December 5, 2019, 8:16pm

anontor · December 5, 2019, 8:35pm

To add
I have these 2 sysctl settings enabled for several months and have not had any vpn-related issues so far
Systems: Debian Buster 4.19 kernel, systemd 241 and also Ubuntu 18.04 4.15 kernel, Ubuntu 18.04 hwe 5.0.0.x kernel, both Ubuntus have systemd 237
VPN software: OpenVPN package 2.4.7-1, 2.4.8

Patrick · December 5, 2019, 8:49pm

Thanks, merged!