Don’t you control your dhcp server?
Comment on Mullvad VPN: Introducing Defense against AI-guided Traffic Analysis (DAITA)
pyrosis@lemmy.world 4 months ago
How about defense against dhcp option 121 changing the routing table and decloaking all VPN traffic even with your kill switch on? They got a plan for that yet? Just found this today.
SpaceCadet@feddit.nl 4 months ago
thatsnothowyoudoit@lemmy.ca 4 months ago
The Option 121 attack is a concern on networks where you don’t.
Exactly where you’d want a VPN. Cafes, hotels, etc.
SpaceCadet@feddit.nl 4 months ago
True that. Hadn’t thought of that as it’s not my typical VPN use case.
I’m not sure what a VPN provider could do about that though, they don’t control the operating system’s networking stack. If the user or an outside process that the user decides to trust (i.e. a dhcp server) adds its own network routes, the OS will follow it and route traffic outside of the tunnel.
The defenses I see against it are:
- Run the VPN and everything that needs to go through the VPN in a virtualized, non-bridged environment so it’s unaffected by the routing table.
- Put a NAT-ing device in between your computer and the network you want to use
- Modify the DHCP client so that option 121 is rejected
pyrosis@lemmy.world 4 months ago
Of course but you don’t control rogue dhcp servers some asshat might plug in anywhere else that isn’t your network
cypherpunks@lemmy.ml 4 months ago
mullvad.net/…/evaluating-the-impact-of-tunnelvisi…
pyrosis@lemmy.world 4 months ago
I doubt it would matter in some environments at all.
As an example a pc managed by a domain controller that can modify firewall rules and dhcp/dns options via group policy. At that point firewall rules can be modified.