Botnet operators are abusing VPN servers from VPN provider Powerhouse Management as a way to bounce and amplify junk traffic part of DDoS attacks.
This new DDoS vector has been discovered and documented by a security researcher who goes online as Phenomite, who shared his findings with ZDNet last week.
The researcher said the root cause of this new DDoS vector is a yet-to-be-identified service that runs on UDP port 20811 on Powerhouse VPN servers.
Phenomite says that attackers can ping this port with a one-byte request, and the service will often respond with packets that are up to 40 times the size of the original packet.
Since these packets are UDP-based, they can also be modified to contain an incorrect return IP address. This means that an attacker can send a single-byte UDP packet to a Powerhouse VPN server, which then amplifies it and sends it to the IP address of a victim of a DDoS attack —in what security researchers call a reflected/amplified DDoS attack.
Attacks already detected in the wild
Both Phenomite and ZDNet have reached out to Powerhouse Management to notify the company about its products’ behavior, seeking to ensure that a patch is deployed to its servers that would prevent its VPN infrastructure from being abused in future DDoS attacks.
However, the company has not responded to any of our emails.
Furthermore, we also learned today that threat actors have also discovered this DDoS attack vector, which they have already weaponized in real-world attacks, some of which have reached as much as 22 Gbps, sources have told ZDNet.
Around 1,520 Powerhouse VPN servers ready to be abused
According to a scan performed by Phenomite last week, currently, there are around 1,520 Powerhouse servers that expose their 20811 UDP port, meaning they can be abused by DDoS threat groups.
While servers are located all over the world, most vulnerable systems appear to be “in the UK, Vienna, and Hong Kong,” the researcher told ZDNet.
Until Powerhouse fixes this leak, the researcher has recommended that companies block any traffic that comes from the VPN provider’s networks (AS21926 and AS22363) or block any traffic where “srcport” is 20811.
The second solution is recommended, as it doesn’t block legitimate VPN traffic from all Powerhouse VPN users but only “reflected” packets that are most likely part of a DDoS attack.
Phenomite’s discovery comes to add to a long list of new DDoS amplification vectors that have been disclosed over the past three months. Previous disclosures included the likes of: