Re: Security layers
> Nesting VPNs would probably be a workaround unless the method used here can be used to drill down through the layers.
Because of the way it works, that wouldn't help you much either.
If you have the following interfaces on your system
tun0 10.10.10.10
eth0 192.168.1.10
Where tun0 is the VPN virtual interface and eth0 is your physical NIC.
The way this works is that the attacker sends SYN-ACKs towards your eth0 with the dest IP in the packet header being for 10.10.10.1 then .2, then .3 to see what responses it gets. Eventually when it reaches 10.10.10.10 it'll get a response - a RST packet.
They now know what the IP of your tun0 is, and can start the rest of their process.
If you nest your VPNs the way most people do, you'll just end up having tun0 and tun1. You may buy some time if they stumble on the IP of tun0 first and try and inject using that, but the process isn't too different if they find tun1 (though the extra padding of having another tunnelled connection might throw them off).
The article didn't mention it, but Amazon Linux followed up with an interesting use of this attack where (with some effort) an attacker could use this to spoof DNS responses from a "trusted" DNS server at the other end of the tunnel