Attacking Connection Tracking Frameworks as used by Virtual Private Networks

VPNs are an essential privacy-enhancing technology, particularly for at-risk users like dissidents, journalists, and NGOs. While prior work has examined VPN cryptography and traffic leakage, the authors identify a gap in the security of lower-level primitives — specifically the connection-tracking frameworks (conntrack/Netfilter and friends) on which most VPN servers rely. They introduce a novel exploit primitive, the "port shadow," and use it to build four attacks that let an off-path attacker intercept and redirect encrypted traffic, de-anonymise a VPN peer, or even portscan a peer hidden behind the VPN server. They build a formal model of modern connection-tracking frameworks, identify the five shared resources at the root of the port shadow, and verify six process-isolation mitigations via bounded model checking.