Powerhouse VPN Services Abused in DDOS Attacks

Summary

Powerhouse Management VPN servers are being abused in reflected/amplified distributed denial-of-service (DDOS) attacks. A private researcher known as Phenomite first identified the DDOS attack vector as being a service that runs on Powerhouse VPN servers using UDP port 20811. Attackers can exploit this service by sending a UDP packet(s) to a Powerhouse VPN server and modifying the return IP address to that of an intended victim. The service then amplifies the original packet(s) up to 40 times its original size resulting in a reflected/amplified DDOS attack. Powerhouse Management has issued a formal response identifying this service as Chameleon, a proprietary protocol used to bypass VPN blocking and censorship, further stating that the issue has been patched. Approximately 1500 Powerhouse VPN servers with exposed UDP port 20811 have been identified worldwide, with the largest concentration in the UK, Hong Kong, and Vienna, Austria.

Recommendations

The NJCCIC suggests network administrators follow recommendations made by the security researcher and block traffic from port 20811 until mitigation is ensured. DDOS preparation and prevention recommendations can be found in the NJCCIC Advisory, DDOS Attack Types and Mitigation Strategies. Additional reporting can be found in the ZDNet article.