Unsecured tunneling protocols expose 4.2 million hosts to cyber threats

TL;DR

• Security flaws in Tunneling protocols like IP6IP6, GRE6, 4in6, and 6in4 expose 4.2 million hosts, including VPNs, routers, and CDN nodes, to attacks.
• Attackers can inject malicious packets with dual IP headers, tricking systems into forwarding traffic while masking the attacker’s identity, enabling DoS attacks or network access.
• Exploits can lead to network congestion, service disruption, crashes, and further risks like man-in-the-middle attacks or data interception.
• Use IPSec or WireGuard for encryption, filter traffic, implement Deep Packet Inspection (DPI), and only accept tunneling packets from trusted sources.

New research by Top10VPN has revealed significant security vulnerabilities in multiple tunneling protocols, leaving millions of internet hosts exposed to potential attacks.

These flaws could allow attackers to hijack systems, perform anonymous attacks, and even gain access to private networks.

If you’re using a VPN, router, or any device that relies on these protocols, this is something you need to know about.

What Are Tunneling Protocols and Why Do They Matter?

Tunneling protocols are used to transfer data between two networks that aren’t directly connected. Think of them as a secure tunnel that lets data travel safely from one point to another, even over public networks like the internet.

They’re essential for VPNs, which use tunneling to encrypt your data and keep it private as it moves between your device and the internet.

Also Read: Hackers leak configs and VPN credentials of 15,000 FortiGate devices

However, not all tunneling protocols are created equal. Some, like the ones in question—IP6IP6, GRE6, 4in6, and 6in4—lack proper authentication and encryption.

This means that if an attacker can inject malicious traffic into the tunnel, they can potentially hijack the connection, spoof IP addresses, or even launch denial-of-service (DoS) attacks.

The Scope of the Problem

According to a study by Top10VPN in collaboration with KU Leuven professor Mathy Vanhoef, as many as 4.2 million hosts are vulnerable to these attacks.

This includes VPN servers, home routers, core internet routers, mobile network gateways, and content delivery network (CDN) nodes. Countries like China, France, Japan, the U.S., and Brazil are among the most affected.

The vulnerabilities stem from the fact that these protocols don’t authenticate or encrypt traffic by default.

Without additional security measures like IPSec or WireGuard, attackers can exploit these weaknesses to create one-way proxies, spoof IP addresses, and even gain access to private networks.

How the Attacks Work

Here’s a simplified breakdown of how these attacks can happen:

1. An attacker sends a packet encapsulated using one of the affected protocols. The packet has two IP headers.
2. The outer header contains the attacker’s source IP and the vulnerable host’s IP as the destination.
3. The inner header’s source IP is that of the vulnerable host, not the attacker. The destination IP is the target of the attack.
4. When the vulnerable host receives the packet, it strips the outer IP header and forwards the inner packet to its destination.
5. Because the inner packet appears to come from a trusted source, it bypasses network filters, allowing the attacker to remain anonymous.

This technique can be used to launch DoS attacks, where the target’s network becomes overwhelmed with traffic, leading to congestion, service disruption, or even crashing of network devices.

What Can You Do to Protect Yourself?

If you’re managing a network or using a VPN, there are steps you can take to mitigate these risks:

• Use IPSec or WireGuard: These protocols provide authentication and encryption, making it much harder for attackers to exploit tunneling vulnerabilities.
• Filter Traffic: Implement traffic filtering on routers and middleboxes to block unencrypted tunneling packets.
• Deep Packet Inspection (DPI): Use DPI to analyze and filter out malicious traffic before it reaches your network.
• Only Accept Packets from Trusted Sources: Configure your systems to only accept tunneling packets from known, trusted sources.

The Bigger Picture

The impact of these vulnerabilities goes beyond just network congestion or service disruption. They open the door to more serious exploits, like man-in-the-middle attacks and data interception.

As Simon Migliano from Top10VPN explains, “The impact on victims of these DoS attacks can include network congestion, service disruption as resources are consumed by the traffic overload, and crashing of overloaded network devices. It also opens up opportunities for further exploitation, such as man-in-the-middle attacks and data interception.”

Conclusion

Tunneling protocols are a critical part of how the internet works, but when they’re not properly secured, they can become a major liability.

If you’re using any device or service that relies on these protocols, it’s important to take steps to secure your network. By using encryption, filtering traffic, and only accepting packets from trusted sources, you can significantly reduce your risk of falling victim to these attacks.

Stay informed, stay secure!