Here’s the translation of your text into American English:
—
A collaboration between Top10VPN and Professor Mathy Vanhoef from KU Leuven University has revealed serious security flaws in widely used tunneling protocols. These vulnerabilities affect over 4.2 million hosts worldwide, including VPNA VPN, short for Virtual Private Network, is a technology that creates…, ISP routers, mobile network nodes, and content delivery network devices (CDNA CDN, short for Content Delivery Network, is a network of servers…). The most affected countries are China, France, Japan, the United States, and Brazil.
Protocol Under Threat: Critical Vulnerabilities Detected
The research reveals that protocols such as IPIP, GRE, 6in4, and 4in6, used to interconnect disconnected networks, lack authentication and encryption unless supported by additional security measures like IPSec. This allows attackers to inject malicious traffic into tunnels, facilitating denial-of-service (DoS) attacks, impersonation, and unauthorized access to private networks.
Affected Hosts by Protocol
| Protocol | Vulnerable Hosts | Impersonable Hosts |
|---|---|---|
| IPIP | 530,100 | 66,288 |
| IP6IP6 | 217,641 | 333 |
| GRE | 1,548,251 | 219,213 |
| GRE6 | 1,806 | 360 |
| 4in6 | 130,217 | 4,113 |
| 6in4 | 2,126,018 | 1,650,846 |
In total, more than 1.8 million hosts can impersonate IP addresses, complicating attacker identification and worsening the impact.
Scanning Methodology and Key Findings
The research included the analysis of 3.7 billion IPv4 addresses and 10 million IPv6 addresses, using techniques such as spoofing and encapsulation. The results confirm that a large portion of the vulnerable hosts correspond to home routers and critical infrastructure devices.
Geographic Distribution of Vulnerable Hosts
| Country | Vulnerable Hosts |
|---|---|
| China | 726,194 |
| France | 238,841 |
| Japan | 130,217 |
| United States | 66,288 |
| Brazil | 31,872 |
Impact on Specific Devices
- VPN Servers
- 1,365 vulnerable VPN servers were identified, including consumer devices and enterprise solutions.
- Affected services include AoxVPN and the outdated infrastructure of AirFalconVPN.
- Home Routers
- 726,194 Free routers (France) showed flaws in 6in4, exposing local networks to DoS and impersonation attacks.
- Critical Infrastructure
- Mobile network routers and CDN nodes are vulnerable to attacks based on GRE, impacting services like BGP and GTP-U.
Documented Attack Techniques
- Ping-Pong Amplification
- Creates traffic loops between vulnerable hosts, causing network overload.
- Tunneled Time-Lenses (TuTL)
- Synchronizes traffic chains to disrupt legitimate services with traffic spikes.
- Abuse of Home Routers
- Gives unauthorized access to connected devices like security cameras and smart home systems.
Recommended Defenses
At the Host Level
- Use secure protocols like IPSec or WireGuard to authenticate and encrypt traffic.
- Restrict packets only from trusted sources.
At the Network Level
- Filter traffic at routers and middleboxes.
- Deep Packet Inspection (DPI) to identify malicious traffic.
- Block unencrypted tunnels.
Expert Statements
Simon Migliano from Top10VPN emphasized:
“The insecure use of tunneling protocols is undermining trust in the security of global networks. It is crucial for both manufacturers and users to take steps to mitigate these threats.”
Professor Vanhoef added:
“These vulnerabilities are a result of legacy configurations and poor practices in networks. Only through a combined security approach at both the host and network levels can we prevent future large-scale incidents.”
Conclusion
The study highlights the urgency of strengthening security in tunneling protocols. Given the increasing reliance on connected devices, ensuring the protection of critical infrastructures is key to preserving stability and trust in the digital ecosystem.
via: Security News