This VPN service is reportedly being exploited to launch DDoS attacks [updated]

The words 'DDoS Attack' displayed in an orange box on a monitor embedded in a series of rack-mounted servers.
(Image credit: FrameStockFootages/Shutterstock)

A widely used VPN service is being used to stage distributed denial-of-service (DDoS) attacks against websites, ZDNet reported earlier this week.

The attacks seem to be related to a flaw in VyprVPN and a related online service, Outfox, that guarantees network speed and reliability to online gamers. Details of the flaw were posted on the online code-sharing website GitHub last week.

Both VyprVPN and Outfox are owned and operated by Powerhouse Management, a Texas company that also runs Golden Frog, a Switzerland-based firm that presents itself as the owner and operator of VyprVPN and Outfox. 

"Powerhouse Management products — either Outfox (a latency reduction VPN service) or VyprVPN (a general vpn service) are exposing an interesting port — port 20811 which provides a massive data and packet amplification factor when probed with any single byte request," wrote pseudonymous security researcher Phenomite in a GitHub post Feb. 16. 

"Not only does this mean Powerhouse servers can be used as a DDoS amplification source, but reveals all servers around the world that are running such potential VPN services — which removes the privacy factor somewhat."

Massive amplification

Phenomite said the Powerhouse servers allowed for a packet-amplification factor of about 40 times the input, drastically increasing the amount of data that an attacker could direct at a target website. For multi-packet attacks, Phenomite wrote, the amplification factor was about 366 times the input.

The researcher said he could detect about 1,500 Powerhouse-associated servers worldwide that could be exploited using this method.

All this would allow a relatively small botnet to launch potentially large DDoS attacks against well-defended websites. DDoS attacks try to knock a web server offline by bombarding it with massive amounts of useless data and impossible requests.

The attacks would be assisted by the fact that the Powerhouse server port in question handles the relatively loose User Datagram Protocol (UDP) traffic, rather than the more tightly controlled Transmission Control Protocol (TCP) traffic that's used to transmit most website information.

Attacks may already be happening

Such attacks using Powerhouse's servers are indeed happening, wrote ZDNet's Catalin Cimpanu, who did not reveal his sources or name any targets. Tom's Guide could not confirm that such attacks were taking place.

Tom's Guide has reached out to Powerhouse Management for comment, and we will update this story when we receive a reply.

There is no indication that consumer users of Powerhouse services, including VyprVPN or Outfox, are at any risk from these flaws. 

Update: VyprVPN responds

A spokesperson for Powerhouse Management directed us to this VyprVPN blog post, posted on Feb. 24.

"We identified the bug and deployed a patch within an hour at approximately 7PM CST February 22nd," said the post, attributed to Golden Frog CEO Sunday Yokubaitis. 

"We are confident that no customer information or data was impacted or compromised," the post added. "Furthermore, we verified that no infrastructure was breached by any third party and there was no unauthorized access to VyprVPN's servers.

"During our investigation we were also unable to identify any significant traffic exploiting the vulnerability; we saw minimal traffic through these ports," the post said. 

"The situation did not impact our entire service, but was isolated to a single protocol, Chameleon. Chameleon is an innovative protocol designed to defeat tough censorship and VPN blocking, and we continue to push the envelope as we design new technologies."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.