Do investigators even need VPN logs?

Lien Mao

Jul 28, 2016
Hi folks,

this question has been nagging at me for a while now, so I decided to sign up here and get the help of you guys.

The Context

I'm currently a mechanical engineer, but I'm very interested in IT and may even switch my career path if I manage to do so. I'm (not yet) a professional and just do some low-level hardware programming in my spare time, play around with GNU/Linux and try to broaden my horizon regarding network administration/security, with the latter being the source of my question.

The Scenario

Imagine I'd have a server of any kind connected to the internet, probably storing a large number of user account credentials. Imagine also that this server would be attacked (why and how is of no concern) and valuable private user data would be stolen.

To prevent further harm, it would be important to trace down the attackers as soon as possible in order to keep them from posting/selling the private data on the web or attacking more servers. After reporting the incident to the authorities there would be two simplified scenarios (provided the authorities were willing to pursue the case):

  1. Direct attack: Cunning as they were, the attackers decided to use their home Wi-Fi as a base for their operation. It would be quite easy to track them, since the investigators could simply ask the ISP of the attackers to reveal the identity of the owners based on date, time and IP.
  2. Indirect attack: The attackers were probably capable enough to use Google and find a solution to obscure their IP address. To keep it simple, let's assume they just used one of the many VPN services available for everyone to use. This would make things a bit harder for investigation, but nevertheless it still wouldn't be a big deal.
The Problem

When you search the web for possibilities to be completely anonymous on the internet, the first search entries are usually links to blog posts á la "7 Ways To Be 100% Anonymous Online" describing stunning methods just like using Google DNS, proxies or VPN services for would-be software pirates .

If you dig a bit deeper and get to know how such things really work, it becomes obvious that they still don't provide anonymity at all. You can also find posts in forums where people describe why it doesn't work and can't work, mostly using the argument that investigators just need to access the logs of the VPN server used during the attack, which would reveal the true IP of the attacker. This is quite interesting, as people start to search for VPN providers that promise not to keep any logs - which lets me come to the core of the problem.

People assume they can do all sorts of activities as long as they use a VPN service that doesn't keep logs. Just for fun, let's assume there was a provider who really doesn't log server activity (though I'm pretty sure such providers don't exist).

The thing is, in my opinion there wouldn't even be the need for VPN server logs, as I'd just go to the ISP of the VPN provider and look at their logs. A connection to the server under attack would look like this:

Attacker -> ISP of Attacker -> Internet -> ISP of VPN -> VPN -> ISP of VPN -> Internet -> ISP of Server -> Server

As illustrated above, a connection via VPN is in fact just a pair of an incoming connection (from the attacker) and an outgoing connection (to the server). And this pair creates a relation between the actual IP of the attacker and the IP attacking the server.

The Question

Assuming my logic is not faulty, why is there the argument of VPN logs when in fact the logs of the ISP of the VPN will do just fine to identify anyone? Furthermore, why would anyone rely on VPNs, proxies (or chained variants) to attack a server? If the damage was severe enough and I wanted to catch them badly enough, it would still be only a matter of time until I caught them, regardless the method they used for obfuscation since the Internet Protocol always requires an address to identify where information is intended to go?


Please note that this is an honest question; therefore I also expect only honest answers. There is also no need to explain to me how DNS, SSH, VPN, proxies, Tor and the like internally work since I've already read a lot about that. As for my use of English, I've invested quite a bit of time to phrase this post properly. However, please forgive occasional mistakes since it's not my mother tongue.
Last edited:
Good question.

So if you are running a VPN provider and lets say you have 10,000 customers, and only 30% of those customers are connected at any given time. So the ISP will see 3,000 connections going to your VPN Server. Now we know the connection from the VPN server to your server so we can trace it back to the VPN Provider. So we are now going to ask the ISP for the connections to the VPN server, so you now have narrowed it down from everyone in the world to 3,000 devices.

How do you tell which device is the one that is going into the VPN Server, and coming back out to attack your server?

That is assuming that the VPN Provider only has a single ISP.

This return scenario is simplified quite a bit.
That is assuming that the VPN Provider only has a single ISP.

You are also assuming that they are only using 1 method to hide their identity. It becomes much harder to identify an individual PC or person if there are multiple layers of TOR, VPN and proxies.

In the end it's not the middleman (VPN, TOR etc..) that gets the person caught, it's the cash flow and unique identifier such as usernames, sayings, phrases, cookies and other "normal" behavior that criminals take for granted.
Paid VPN services alone are useless for anonymity. They do have their uses but anonymity isn't one of them and anyone saying differently is likely a provider or user of such services.
The thing is, in my opinion there wouldn't even be the need for VPN server logs, as I'd just go to the ISP of the VPN provider and look at their logs.

You confuse two types of logging here - logging which address was assigned to which customer at a given time and actually logging what that address did. The former is half-ish OK if you need it for accounting reasons, the latter is never OK and no commercial ISP will do full traffic logging of commercial customers. It is illegal in most countries.
Keep in mind that the entire internet is logged. NSA has data centres just for this alone. So all the exit data from the VPN servers is unencrypted and logged in addition to the encrypted traffic. By analyzing the encrypted frames going from your machine to the VPN server, and the traffic coming out of the VPN server they can probably put it together based on time stamps, frame size, etc.

Even if you are VPNing from a anonymous location (ex: not your house but a random wifi hotspot) you had to pay for the VPN service somehow, so that can be traced back to you too.

I've been looking into getting a VPN service myself, but these are all things that have to be considered. Idealy you want to get one that's in a country that is hostile towards the US such as Russia as it will be harder for the US to get logs.
Paid VPN services alone are useless for anonymity.

I have personally used a paid VPN service for many, many years. Yesterday I saw this documentary on Netflix about "Anonymous" were they were explaining how they would render websites useless or at least overloading them by so-called DDoS attacks. I did not truly understand the process but got some more information about it through googling and this digital guide among many others.

I wasn't sure if Anonymous' goal was just to overload the site or to create a distraction so they could steal or hack user credentials, but the article states that that is usually the goal of a DDoS attack?
I get the impression that most VPN providers promise inexperienced user that their service is completely anonymous but in the fine print in their private policy it is suggested that they log a significant amount of customer data.
NSA perves use data timing to analyse entry and exit points to determine who sends what. Doesn't mean they can see what you're sending if encryption is good enough and they have not broken it yet. They have export controls on encryption for a reason I'd say.. they use off shelf stuff typically due to volumes, not some exotic quantum PC etc..
So just use a non-US based VPN that exits in a country where US has no jurisdiction... Then they can only see your outbound encrypted traffic and cant even request logs from the VPN provider... And yes, VPN is mainly to hide traffic from a snooping ISP. If you want some level of anonymity you need to use a proxy..
You can also use Tor over VPN for added security as well. When using any of these tools also do not mix your regular user accounts with it. Personally I would setup a VM that is setup to use the VPN only, any user accounts you create are only used from that VM over the VPN. Never mix accounts between clearnet and VPN/darknet. Treat it like a 2nd personality.

No anonimyzer system, whether it's VPN, proxies, Tor are 100% secure but they are better than nothing and you can make the best use of them by being smart about how you use them.