Some botnet operators abuse VPN servers by the VPN Powerhouse Management provider as a way to bounce back and boost unwanted traffic as part of DDoS attacks.
This new DDoS carrier was discovered and documented by a security researcher circulating on the internet as Phenomite, who shared his findings with ZDNet last week.
The researcher said that the main cause of this new DDoS vector is a service (not yet detected) running on the UDP 20811 port on Powerhouse VPN servers.
Phenomite says intruders can "ping" this port with a one-byte request and the service will responds often with packages up to 40 times the size of the original package.
Since these packages are UDP-based, they can also be modified to contain incorrect IP return. This means that an attacker can send a one-byte UDP packet to a Powerhouse VPN server, which then amplifies it and sends it to the IP address of a victim of a DDoS attack - what security researchers call a reflected / amplified DDoS attack. .
Both Phenomite and ZDNet have contacted Powerhouse Management to inform the company about the behavior of its products, seeking to ensure that a patch on its servers that will prevent the misuse of its VPN infrastructure in future DDoS attacks.
However, the company has not responded to the relevant requests.
In addition, we also learned today that threatening agents have also discovered this DDoS attack vector, which they have already used in real attacks.
According to a scan by Phenomite last week, there are currently about 1.520 Powerhouse servers exposing UDP port 20811, which means it can be done abuse from the DDoS threat groups.
Until Powerhouse fixes this leak, the researcher has advised companies to block any traffic coming from VPN providers (AS21926 and AS22363) or to exclude any traffic where "srcport" is 20811.
The second solution is recommended, as it does not block legitimate VPN traffic from all Powerhouse VPN users, but only the "reflected" packages that most likely are part of a DDoS attack.
The discovery of Phenomite adds to a large list of new DDoS enhancement vectors that have been unveiled in the last three months.
Source of information: zdnet.com