I am reporting a vulnerability that exists on most Linux distros, and other *nix operating systems which allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website. Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections.
At the end:
- Turning reverse path filtering on
I suggested to enable reverse path filtering in security-misc a while ago but Hulahoop pointed out that it might break VPNs in Whonix. I think it should be enabled by default but instructions to disable it for VPNs should be added to the wiki.
The link above does say that this attack doesn’t seem to work on Tor (although it hasn’t been tested much) and mitigation 3 is to add padding (which Tor does for connections to the guard node).