An investigation by an online security researcher who goes by the name of Phenomite has revealed that VPN servers operated by Powerhouse Management, the company behind VyprVPN, are being used by Botnet operators as part of Distributed Denial of Service (DDoS) attacks.
It seems that the people behind the Botnets have figured out a way to use the VPN servers to bounce and amplify traffic then redirect it elsewhere, meaning it is possible to use the servers to help undertake a DDoS attack.
How the ruse works
According to Phenomite, the cause of the issue can be traced to a service that runs on UDP port 20811. However to date, he has not been able to identify what that service is. However, he does know how it is working.
According to him, it is possible for the botnet operators to ping that port with a single one byte request and get a response that includes a packet that is up to 40 times the size. This is the amplification aspect of the issue.
As Phenomite then explains, because these packets are UDP-based it is also possible to modify them to contain an incorrect return IP address. In other words, it then can send this amplified data to a targeted third party. If this is repeated multiple times, the recipient will be bombarded with large amounts of data; the definition of a DDoS attack.
According to ZDNet, which first reported the issue after being informed by Phenomite, this is not just a theoretical issue. It is has already been used in real life with some attacks reaching as much as 22 Gbps. A sizeable DDoS attack.
How has Powerhouse Management responded?
Usually, when we report stories of this type we can follow up the details with news and then explain how the company involved has reacted to deal with the problem. But unfortunately in this case, we can’t.
Phenomite and ZDNet have both contacted Powerhouse Management to notify them about the issue. They both expected Powerhouse Management to confirm that they had patched the servers to prevent them from being used for DDoS attacks. But to date, this has not been the case.
Both have said that Powerhouse Management have failed to respond to their emails. This suggests that no action has been taken so far.
[24th February Update: VyprVPN has since responded to the incident to confirm it has been rectified]
We've followed up the issue with our contacts at VyprVPN but are yet to hear back and will update this article when we do.
It would be expected that they might act a little faster. A scan of their network that was carried out by Phenomite found that no fewer than 1,520 servers operated by Powerhouse Management expose their 20811 UDP port and are therefore vulnerable to being used for DDoS attacks in this way.
He confirmed that while there are servers across the world that are affected, the majority are located in the UK, Hong Kong, and Vienna in Austria.
How will this affect VyprVPN users?
The first key point to make for any worried VyprVPN users out there is that there is no confirmation at this stage that the effected servers are from VyprVPN.
Powerhouse Management operates a number of online businesses including Outfox and Golden Frog in addition to VyprVPN.
Even if it is VyprVPN servers that are affected, it does not necessarily impact on the privacy and security of their users or the level of service they are getting. The only issue that VyprVPN users might experience is in relation to one of the proposed solutions being suggested to online businesses.
Phenomite’s advice is that companies should block traffic from the VPN provider's networks (AS21926 and AS22363) or any traffic where the “srcport” is numbered as 20811.
The second option is the best once since it will not impact regular traffic from Powerhouse Management’s VPN networks. But there is no guarantee that companies won’t take the first option (which is easier). This will have a knock-on effect for VyprVPN users.
Hopefully it won’t come to that and Powerhouse Management will respond to the alerts they have received and fix the problem sooner rather than later. That is certainly the action we would urge them to take.
If a response is not forthcoming, the problem could amplify and be a real issue for VyprVPN customers. We aren’t there yet, so users don’t need to panic at the moment. But we would advise them to watch this space for further updates.