MANILA, Philippines – Sweden-based digital forensics nonprofit Qurium on Thursday, September 7, reported that popular virtual private network (VPN) services and proxy providers that claim to use “ethically sourced” IP addresses have been used by attackers for distributed-denial-of-service (DDoS) attacks. 

VPNs and proxies are used to make oneself anonymous online, by hiding a device’s true IP address behind one assigned by the VPN or proxy service provider.

A user typically connects to the internet via an internet service provider (ISP) such as Globe or PLDT. The ISP assigns your device an IP address, essentially an identifier for your device when you connect to a website, for example. A VPN or a proxy service substitutes your real IP address with one from their database, thus hiding your identifier from the website you’re visiting.

A VPN takes it a step further as it provides end-to-end encryption, which prevents other parties from seeing the data you’re requesting from a website.

These services can also make your connection appear as if it’s originating from another country, by coursing your connection through one of their servers hosted in a specific country of choice. This has become one of the more popular ways for VPNs to market themselves, allowing users to bypass geo-restrictions such as those put up by streaming services like Netflix or Disney+.

However, while VPNs and proxies are often marketed for security, anonymity, and geo-restriction bypassing to the common user, Qurium has found that these services have also been useful for attackers conducting DDoS attacks wherein massive amounts of traffic are driven towards a target website to bring it down.

Qurium has also questioned US-based proxy service Rayobyte’s claims that their database of IPs are “ethically-sourced.”

How does it work? 

Qurium analyzed DDoS attacks on the website of the Somali Journalists Syndicate (SJS), an independent journalists’ trade union, in August. The nonprofit provided hosting for SJS after an earlier DDoS attack had brought down the independent media site.

In its analysis, it found that attackers use “traffic generators,” the traffic from which are then fed to proxies from US-based provider Rayobyte, and then to the target website, sjsyndicate.org. 

The traffic is fed through the proxy service in order to bypass site mitigations that monitor the amount of requests per IP address. Qurium found that attackers used “thousands of fresh new IP addresses” traced to Rayobyte, with each one sending “just a few requests per second” thereby bypassing website mitigations to detect and block a DDoS attack. 

Traditional firewalls are bypassed as the attackers can keep leasing thousands of new, unblocked addresses during short periods of time, Qurium said. It said it was able to block no less than 19,518 IP addresses during the attack.

The nonprofit said they were able to trace the majority of the bad traffic from Rayobyte assets and its infrastructure partners by analyzing “the network allocations, by looking into registration data, upstream providers, data center information and hosted services.”

Aside from SJS, 5 other Qurium-hosted clients have been targeted by denial-of-service attacks sourced from Rayobyte’s infrastructure including Nacionale (Kosovo), Kloop (Kyrgyzstan), Peoples Gazette (Nigeria), Bulatlat (Philippines), and Turkmen News (Turkmenistan).

Qurium reached out to Rayobyte as early as March 2023 to inform the company of how their proxy services were being used by bad actors. The nonprofit was able to reach out to the firm’s CEO Neil Emeigh and Kade Baker, who promised implementing technology to detect the launching of DDoS attacks with assistance from their tools.

But a few months after the interaction, the attack on the SJS website took place, which still used Rayobyte assets. “However, a few months later we can see the very same pattern being used to conduct yet another denial of service attacks against another target,” Qurium said.

Qurium also questioned the company’s marketing of its proxies as “ethically sourced.” It said the company’s alleged “‘commitment to high ethical standards’ translates to an infrastructure that is leased to cyber criminals to conduct all sort of attacks including denial of service.” 

ExpressVPN, NordVPN

Qurium also discovered that popular VPN services are being used in a similar manner to conduct successful DDoS attacks, including some of the most popular, ExpressVPN and NordVPN. 

Independent media organizations that have been attacked with the aid of VPN tools include Nacionale (Kosovo), Peoples Gazette (Nigeria), Bulatlat (Philippines), Somali Journalist Syndicate (Somalia) and Turkmen News (Turkmenistan). 

“Just like the case of rotating proxies where the IP addresses were constantly changing, the pool of IP addresses coming from [VPNs] were behaving in a very similar way, rotating periodically. In this way, infrastructure that is designed to avoid detection during data [scraping] is leveraged to conduct denial of service attacks.” 

Pools of IP addresses can be used in operations that extract data from sites, but as Qurium said, similar mechanics can be used to perform DDoS attacks. The nonprofit analyzed network certificates, known traffic sources for the mentioned VPNs, and other forensic methods to trace the traffic back to the VPN providers. 

The nonprofit has contacted three identified VPN providers, IPVanish, NordVPN and ExpressVPN, to inform them that their services are being used in DDoS operations. IPVanish did not reply aside from an automatic ticket; NordVPN referred to a “no-log data policy” but did not provide details on how it plans to address DDoS attack concerns; and ExpressVPN escalated the case to management, and promised that management would soon get back to Qurium. 

“At the time of this writing, no VPN provider has provided any explanation of the events nor the measures that will be taken in the future so their infrastructure is not actively participating in denial of service attacks,” Qurium said. – Rappler.com