Infrastructure of VPN providers is used to launch DDoS attacks

7 September, 2023

Qurium’s report Rayobyte infrastructure enabling DDoS attacks illustrates how the proxy provider’s infrastructure has been powering massive DDoS against independent media organizations.

Digging deeper into the attack logs of the denial-of-service attack reveals another set of players that with their globally distributed infrastructure constitute excellent platforms for DDoS attacksVPN Providers.

Qurium can confirm that infrastructure belonging to IPVanish, NordVPN and ExpressVPN is being used to launch DDoS attacks against independent media. Nacionale (Kosovo), Peoples Gazette (Nigeria), Bulatlat (Philippines), Somali Journalist Syndicate (Somalia) and Turkmen News (Turkmenistan) have all been target of denial-of-service attacks sources from VPN providers.

When investigating the traffic logs of the DDoS attacks against the Somali Journalist Syndicate, Qurium identified a number of prefixes that did not run any proxy services but rather OpenVPN/IKEOpenVPN and IKE are protocols used for VPN services.

Initially we focused on six prefixes coming from AS206092/SECFIREWALLAS and discovered that the addresses operated VPN services.

The networks showed certificates of three VPN products from Kape Technologies:

  • privateinternetaccess
  • cyberghost
  • expressvpn

With this evidence at hand, we suspected that the infrastructure of VPN services were also used in the DDoS attacks.

The following graph shows malicious traffic from the attacks coming from the ASN where Private Internet Access (PIA) and ExpressVPN VPN traffic is known to be sourced.

This image has an empty alt attribute; its file name is image-23.png
Add here.

A sample of the networks include:

AS174 | 191.96.185{.}0/24 | privateinternetaccess
AS136787 | 91.196.221{.}0/23| NordVPN | Packethub S.A.
AS140952 | 103.209.254{.}0/24 | Strong Technolog LLC IPVanish (J2 Global)

* Express VPN - VPN Consumer Network *
AS262287 | 64.64.117{.}0/24 | LTDA 
AS262287 | 173.244.55{.}0/24 | LTDA
AS262287 | 181.215.195{.}0/24 | LTDA
AS206092 | 136.144.19{.}0/24|SECFIREWALLAS | PANQ-VPN-136-144-19-0
AS206092 | 149.57.7{.}0/24 |  SECFIREWALLAS | LogicWeb Inc. 
AS206092 | 172.98.32{.}0/24 |SECFIREWALLAS | LayerSwitch Inc
AS206092 | 45.132.227{.}0/24 | SECFIREWALLAS | VCUS-45-132-227-0
AS206092 | 45.67.96{.}0/24 | SECFIREWALLAS | E-Sydney Realty 1-11 Templar Road, New South Wales
AS206092 | 85.237.194{.}0/24| SECFIREWALLAS | S PL-HOWICK-20050527

Just like the case of rotating proxies where the IP addresses were constantly changing, the pool of IP addresses coming from VPN were behaving in a very similar way, rotating periodically. In this way, infrastructure that is designed to avoid detection during data scrapping is leveraged to conduct denial of service attacks.

The mysterious “VPN Consumer Network”

During several DDoS attacks against (Somalia) and (Kosovo) Qurium fingerprinted IP addresses coming from the ISPs:

  • GSL Networks Pty LTD
  • LTDA

These ISPs are described in ARIN as “VPN Consumer Network”. The abuse contact details are presented in a simple page as:

This image has an empty alt attribute; its file name is image-29.png

Based on information revealed in two recent lawsuits in the US where Hollywood companies were filing lawsuits against several VPN Providers (Case 1 and Case 2) it is suggested that “VPN Consumer Network Services” is in fact the alter-ego of the popular ExpressVPN.

In 2021, ExpressVPN was bought by Kape Technologies, a UK based company currently owning some of the most popular VPN services, such as CyberGhost VPN, Private Internet Access (PIA) and ZenMate.

In the Netherlands, several companies associated to the phone numbers +31403041482 +31403041481 +3140304148X seem to advertise the “VPN Consumer Network”. This is just an example of how difficult it is to seek remediation from VPN and Proxy Services involved in denial of service attacks.

This image has an empty alt attribute; its file name is image-30-1024x900.png
Add here

The response

Qurium has mailed the three VPN providers IPVanish, NordVPN and ExpressVPN reporting that their infrastructure is being used to conduct denial of service attacks. The response – or lack of such – was the following:

  • IPVanish created an automatic ticket #4345069 and did not follow up.
  • NordVPN created an automatic ticket ID #14215469 and referred to their no-log data policy and did not provide any further details in how NordVPN plans to stop future DDoS attacks against our hosted sites from their infrastructure.
  • ExpressVPN created an automatic ticket with id #23307882 and escalated the case to Management with the promise that management would reach out to us soon.

At the time of this writing, no VPN provider has provided any explanation of the events nor the measures that will be taken in the future so their infrastructure is not actively participating in denial of service attacks.