Tag: steve gibson

Response to Security Now! Episode 188: SSH Tunnels

by on Apr.24, 2009, under Uncategorized

Here’s my message to Steve Gibson and Leo Laporte (from the fantastic Security Now podcast) regarding Steve’s endorsement of SSH tunnels as an viable alternative to IPSEC VPNs.    Enjoy!

Podcast Transcript:

— snip —

Steve and Leo,

In episode #188, you discussed the use of SSH tunnels as an alternative to IPSec and SSL VPNs.  I am writing to point out a few flaws in this “poor man’s VPN” that make it significantly weaker and prone to attacks that do not affect a true IPSec tunnel.

In the scenario described, the user establishes an SSH session to a remote host using the “-D 1080” option, which automatically forms a SOCKS v5 proxy to the remote host.  Configuring your browser to use Socks V5 on localhost, port 1080, does in fact work quite elegantly to tunnel all browser-generated traffic through the socks proxy, making it immune to snooping and tampering.

Great!  So, what’s the problem?

The problem is that only browser-generated traffic goes through the tunnel.  DNS requests are not generated by the browser;  they are generated by the host operating system and are not tunneled.  Consider the following scenario as an example:

1)   You’re seated at the local hostile internet cafe and you connect to their wireless network.  You establish an SSH tunnel and prepare to do some online banking.
2)   You enter into your browser and hit enter.
3)   Your browser asks your OS to perform a DNS lookup of  What server is it going to ask?  The DNS server learned via DHCP from the internet cafe’s unencrypted wireless network.
4)   Bad guy intercepts your DNS request, spoofs a reply and redirects you to his version of your bank’s login page.
5)   You kindly provide your bank credentials to the bad guy through your encrypted SSH tunnel.

Many Java and Flash applications initiate their own network connections — meaning they would not use the Socks proxy — leaving their conversations open to attack as well.

In an IPSec tunnel, all traffic — including DNS lookups — are routed through the tunnel to the remote network, making them immune to this attack.

One last rant, then I will step down from my soap box.  TCP-based VPNs, such as SSH or SSL, are susceptible to tcpkill attacks, whereby an attacker send s TCP Reset packets to each end, tearing down the tunnel.  (The very same shenanigans that many ISPs use to throttle bittorrent sessions.)  Since your email client has no knowledge of the state of your VPN connection, an attacker can tear down your tunnel and wait for the next POP3 or IMAP check interval, then snag your username and password from the unencrypted hostile network.  IPSec tunnels, which typically use UDP, are immune to this type of attack.

Thanks as always for a fantastic podcast.

1 Comment :, , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!