Botnet threat actors have discovered another vulnerability to exploit in their ongoing efforts to launch business disrupting distributed denial of service (DDoS) attacks. Earlier this year, several news outlets, including TechRadar, reported that an anonymous security researcher discovered that the servers of VPN provider, Powerhouse Management, had been compromised to send reflective/amplified DDoS attacks, and shared his findings on GitHub on February 14th. This is not surprising, given that the COVID lockdowns around the world have forced so many workers to rely on VPNs to remotely connect to their corporate office networks. True to form, threat actors will always seek out the most abundant and easy prey to exploit.
According to TechRadar, “The researcher notes that there are over 1500 Powerhouse VPN servers with their UDP port 20811 exposed and can potentially be used to launch a DDoS attack.” This does not mean that those companies who utilize the Powerhouse Management VPN will be the victims of a DDoS attack; rather, their servers can be used to launch attacks on other unsuspecting organizations. According to ZDNet, cybercriminals have already weaponized the VPN system to launch attacks in the wild.
Credit is due to Powerhouse Management though, as they were able to quickly create a patch for the issue. However, this is another example of the creativity of cybercriminals, in their constant efforts to find new and powerful ways to launch damaging DDoS attacks. It also helps to explain why and how DDoS continues to be a favorite attack tool for cybercriminals and understand why such damaging attacks are continuing to increase in frequency. Without deploying the latest generation of DDoS defenses, any organization can be the target of an attack, especially with the increase in ransom DDoS, which target any business that the cybercriminals believe has the resources to pay-up.
How Does Corero’s SmartWall® Block VPN Amplification Attacks?
Corero’s patented heuristic Smart-Rules can distinguish the patterns of retry packets in a reflection/amplification attack; the persistent retries trigger anomaly thresholds and are blocked automatically by SmartWall, which inspects every inbound packet. At the same time, regular packets still go through, allowing legitimate VPN traffic to successfully establish a session.
For more information about the increased risks of DDoS attacks on VPNs, and how Corero mitigates such attacks, download our white paper, “Remote Workers and the Rise of OpenVPN Amplification DDoS Attacks.”