Cybercriminals Leverage VPNs for DDoS Amplification

When it comes to the serious problems that companies can face, having too many willing customers isn’t one that too many business owners lose sleep over. While companies want to match demand with supply, having a large number of prospective customers showing interest in your service is far from the worst challenge a business can face.

At least, that’s assuming that all of the would-be customers are genuine.

This is the basis for Distributed Denial of Service (DDoS) attacks, in which attackers bombard victims with copious quantities of fraudulent traffic with the goal of bringing down a particular service or website. Picture it like directing too much vehicular traffic down a residential street: at a certain point, it’s total gridlock and even legitimate traffic that belongs on the road is unable to reach its destination.

DDoS amplification attacks are a nasty variation on DDoS, whereby the attacker exploits the vulnerabilities that exist in domain name system (DNS) servers so as to turn what are initially small queries into much bigger ones. By utilizing assorted amplification techniques to flood targets with massive numbers of User Datagram Protocol (UDP) packets, attackers are able to circumvent even robust infrastructure to knock victims’ servers offline. 

To those without the necessary anti-DDoS protection, such attacks can be devastating in their effect.

Amplification attacks increase scale

In this kind of amplification attack, the attacker sends a DNS request for service with a source IP that’s spoofed to look like the address of the victim. This causes the DNS resolver, a server that’s designed to receive queries from web browsers and applications, to return a DNS response. When multiple fake queries are sent, resulting in multiple DNS resolvers replying at the same time, networks can become overloaded with DNS responses. This is what risks slowing down a website or service or even driving it offline altogether.

In an amplification attack, DNS request messages of around 60 bytes can be turned into a response message in excess of 4,000 bytes — meaning an amplification factor of approximately 70:1. As such, amplification can vastly increase the scale of a DDoS attack.

Recently there has been a trend of cybercriminals leveraging virtual private networks (VPNs) for DDoS amplification attacks. Under usual circumstances, VPNs offer privacy, security, and anonymity to computer users through the use of a private network connection via a public network connection. VPNs can be used, for example, to access restricted websites that are geographically blocked in one particular area. To cyberattackers, however, they also open up new opportunities for causing problems.

Exploiting VPNs for DDoS amplification

In February, a security researcher by the name of Phenomite discovered how the operators of botnets — strings of internet-connected devices, frequently used to amplify DDoS attacks — have been increasingly using VPN servers as part of their attacks. According to Phenomite, one recent attack involves pinging the UDP port 20811 on Powerhouse VPN servers with a single byte request, which is then greatly amplified. 

This attack vector has reportedly already been weaponized, with real-world attacks reaching as high as 22 gigabytes-per-second (Gbps) in their assault on targets. Furthermore, additional scans by Phenomite show that upwards of 1,500 Powerhouse servers leave the UDP port 20811 exposed. This, in turn, opens up the possibility of other similar attacks taking place until Powerhouse VPN provides a fix to the problem.

DDoS attacks can be exceedingly damaging to targets, and have brought down some major players, in addition to smaller businesses and other targets. Previous targets have included major banks, code repository Github, Sony, EA, Steam, and many others. Negative effects of DDoS attacks can include lost revenue due to unasked-for time offline, along with dented customer loyalty, and more.

Protecting against amplified DDoS attacks is essential. Some of the ways to mitigate the devastating effects of DNS amplification attacks include rate limiting, blocking specific DNS servers, or tightening up security for DNS servers. But these won’t stop attacks from taking place, and may have other damaging impacts such as hurting genuine DNS communication.

Protecting against attacks

Fortunately, the tools are there to help. Modern cybersecurity tools for anti-DDoS measures are able to scrub massive DDoS attacks, giving would-be targets the ability to handle even the biggest volumetric attack. They can also identify amplified traffic and block it, protecting systems from being victimized by such attacks. They are able to block this bad traffic effectively, while continuing to allow through genuine traffic. As a result, services do not suffer as a result of DDoS attacks in progress.

These kinds of cyberattacks are not going away any time soon. The damage they can cause, coupled with the increasingly low barrier to entry when it comes to launching them, makes them irresistible to cyber attackers wanting to cause maximum damage. But by deploying the right tools, you can comprehensively safeguard against them. Employing these countermeasures proactively also means not having to wait on bug fixes that may not arrive in a timely fashion. 

Getting the right tools and strategy in place is one of the best cybersecurity moves any business or organization can make today.