Watch out for rogue DHCP servers decloaking your VPN connections

2024-05-07 21:50

"TunnelVision's effect is independent of the underlying VPN protocol because it reconfigures the operating system network stack the VPN relies on."

Anyone who is able to operate a DHCP server on the same network as someone using a VPN, and get that VPN client's machine to use that DHCP server, can decloak their traffic because of a particular feature in the configuration protocol: option 121, which allows administrators to add classless static routes to client routing tables.

A rogue DHCP server using a DHCP starvation attack against the true DHCP, then responding to new clients.

A rogue DHCP server racing to respond to DHCPDISCOVER broadcasts to abuse DHCP clients' common behavior where they implement first-offer lease selection.

Once a miscreant is in a position to issue DHCP leases to a target's machine, they can use option 121 to force all data - even traffic that's supposed to be destined for a VPN tunnel - through a gateway set up by the DHCP server and then read whatever traffic they can.

If it's possible to tell your system to ignore DHCP rule 121 while a VPN is active, that would be a good plan, and Leviathan also recommends using a VPN through a dedicated, password-protected wireless hotspot for an added layer of security.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/

#dhcp #server #VPN