Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Bad Neighbors: On Understanding VPN Provider Networks

Teemu Rytilahti, Thorsten Holz

TL;DR

An automated measurement system is developed with which a widespread lack of traffic filtering towards internally routable networks is indicated on the majority of tested VPN service providers, even in cases where no other VPN customers were directly exposed.

Abstract

Virtual Private Network (VPN) solutions are used to connect private networks securely over the Internet. Besides their benefits in corporate environments, VPNs are also marketed to privacy-minded users to preserve their privacy, and to bypass geolocation-based content blocking and censorship. This has created a market for turnkey VPN services offering a multitude of vantage points all over the world for a monthly price. While VPN providers are heavily using privacy and security benefits in their marketing, such claims are generally hard to measure and substantiate. While there exist some studies on the VPN ecosystem, all prior works omit a critical part in their analyses: (i) How well do the providers configure and secure their own network infrastructure? and (ii) How well are they protecting their customers from other customers? To answer these questions, we have developed an automated measurement system with which we conduct a large-scale analysis of VPN providers and their thousands of VPN endpoints. Considering the fact that VPNs work internally using non-Internet-routable IP addresses, they might enable access to otherwise inaccessible networks. If not properly secured, this can inadvertently expose internal networks of these providers, or worse, even other clients connected to their services. Our results indicate a widespread lack of traffic filtering towards internally routable networks on the majority of tested VPN service providers, even in cases where no other VPN customers were directly exposed. We have disclosed our findings to the affected providers and other stakeholders, and offered guidance to improve the situation.

Bad Neighbors: On Understanding VPN Provider Networks

TL;DR

An automated measurement system is developed with which a widespread lack of traffic filtering towards internally routable networks is indicated on the majority of tested VPN service providers, even in cases where no other VPN customers were directly exposed.

Abstract

Virtual Private Network (VPN) solutions are used to connect private networks securely over the Internet. Besides their benefits in corporate environments, VPNs are also marketed to privacy-minded users to preserve their privacy, and to bypass geolocation-based content blocking and censorship. This has created a market for turnkey VPN services offering a multitude of vantage points all over the world for a monthly price. While VPN providers are heavily using privacy and security benefits in their marketing, such claims are generally hard to measure and substantiate. While there exist some studies on the VPN ecosystem, all prior works omit a critical part in their analyses: (i) How well do the providers configure and secure their own network infrastructure? and (ii) How well are they protecting their customers from other customers? To answer these questions, we have developed an automated measurement system with which we conduct a large-scale analysis of VPN providers and their thousands of VPN endpoints. Considering the fact that VPNs work internally using non-Internet-routable IP addresses, they might enable access to otherwise inaccessible networks. If not properly secured, this can inadvertently expose internal networks of these providers, or worse, even other clients connected to their services. Our results indicate a widespread lack of traffic filtering towards internally routable networks on the majority of tested VPN service providers, even in cases where no other VPN customers were directly exposed. We have disclosed our findings to the affected providers and other stakeholders, and offered guidance to improve the situation.

Paper Structure

This paper contains 27 sections, 6 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Approach
  3. Obtaining Configuration Information
  4. Testing VPN Providers
  5. Testing an Instance
  6. Ethical Considerations
  7. Probes
  8. Active Probes
  9. Reactive Probes
  10. Experimental Setup
  11. Obtaining Access
  12. Data Collection & Analysis
  13. Evaluation
  14. Filtering Out Internet-visible Services
  15. Analyses Overview
  16. ...and 12 more sections

Figures (6)

  • Figure 1: Overview of our scanning setup. ❶ Inspect the provider, register, and obtain configurations. ❷ Generate configurations and launch probing containers. ❸ Start packet capture and execute active probes on connection establishment. ❹ Launch reactive probes when encountering packets from unknown, internal networks. ❺ Combine collected data with in-tunnel packet traces to create a graph. Enrich the graph with information about geolocation, autonomous systems, and Censys information for offline analyses.
  • Figure 2: Distribution of Exposed Services per Hop Distance. The proportion of protocols commonly found on end-user systems (, NetBIOS, , ) are more often closer in hops than the protocols used for administrative uses.
  • Figure 3: Source and Destination Networks per Hop Count. The left-hand side shows the network given to our client whereas the right-hand side shows the network where the exposed service was seen.
  • Figure 4: Proportion of Hosts with Shared Identifiers. This shows the probability of how often the protocol on the X axis was seen on the same host as the protocol on Y axis. For example, 91 % of hosts exposing NetBIOS did also expose , while the case was only 49 % the other way around.
  • Figure 5: Overview of Stakeholder Categorized Exposures. Left: prober's network. Right: exposed service's network.
  • ...and 1 more figures