A widely used VPN service is being used in a distributed denial-of-service (DDoS) attack against websites, ZDNet reported earlier this week

The attack appears to be related to a flaw in VyprVPN and its related online service Outfox, which guarantees network speed and reliability to online gamers Details of the flaw were posted last week on the online code-sharing site GitHub

Both VyprVPN and Outfox are owned and operated by Powerhouse Management, a Texas-based company that also operates the Swiss-based company Golden Frog, which identifies itself as the owner and operator of VyprVPN and Outfox It also operates the company Golden Frog

"Powerhouse Management's products - Outfox (a reduced latency VPN service) or VyprVPN (a general VPN service) expose an interesting port - port 20811, when probed with any 1-byte request, large data and provides packet amplification factors," pseudonymous security researcher Phenomite wrote in a GitHub post on February 16

"This not only means that Powerhouse's servers can be used as a DDoS amplification source, but also reveals all the servers in the world running such a potential VPN service

According to Phenomite, Powerhouse's servers allow a packet amplification factor of about 40 times the input, dramatically increasing the amount of data an attacker can direct at a target website In the case of a multi-packet attack, Phenomite writes, the amplification factor was about 366 times the input

The researchers stated that they were able to detect approximately 1,500 Powerhouse-related servers worldwide that could be exploited with this technique

This allows a relatively small botnet to launch a potentially massive DDoS attack against a well-defended website; a DDoS attack attempts to take a web server offline by bombarding it with large amounts of useless data and impossible requests DDoS attacks attempt to take web servers offline by bombarding them with massive amounts of useless data or impossible requests

This attack occurs when the port on the Powerhouse server in question is not used for the more tightly controlled Transmission Control Protocol (TCP) traffic used to transmit most website information, but rather for the relatively loose User Datagram Protocol (UDP) traffic Datagram Protocol) traffic, rather than the more tightly controlled TCP (Transmission Control Protocol) traffic used to transmit most website information

Such attacks using Powerhouse's servers do indeed occur, writes ZDNet's Catalin Chimpanu; Tom's Guide could not confirm that such an attack is taking place

Tom's Guide has reached out to Powerhouse Management for comment

There is no indication that consumer users of Powerhouse services, including VyprVPN or Outfox, are being compromised by these flaws

A spokesperson for Powerhouse Management directed us to this VyprVPN blog post posted on February 24

"We identified the bug and distributed a patch within an hour of 7 pm CST on February 22

"We are confident that no customer information or data was affected or compromised We have further confirmed that no infrastructure was compromised by any third party and that there was no unauthorized access to VyprVPN's servers"

"During our investigation, we were also unable to identify any critical traffic exploiting the vulnerability, and traffic through these ports was minimal

"This situation did not affect our entire service, but was limited to a single protocol, Chameleon, which is an innovative protocol designed to defeat strict censorship and VPN blocking, and we continue to push the envelope when designing new technologies We continue to push the envelope when doing so"