A widely used VPN service is being used in a distributed denial-of-service (DDoS) attack against websites, ZDNet reported earlier this week.

The attack appears to be related to a flaw in VyprVPN and its related online service Outfox, which guarantees network speed and reliability to online gamers. Details of the flaw were posted last week on the online code-sharing site GitHub.

Both VyprVPN and Outfox are owned and operated by Powerhouse Management, a Texas-based company that also operates the Swiss-based company Golden Frog, which identifies itself as the owner and operator of VyprVPN and Outfox. It also operates the company Golden Frog.

"Powerhouse Management's products - Outfox (a reduced latency VPN service) or VyprVPN (a general VPN service) expose an interesting port - port 20811, when probed with any 1-byte request, large data and provides packet amplification factors," pseudonymous security researcher Phenomite wrote in a GitHub post on February 16.

"This not only means that Powerhouse's servers can be used as a DDoS amplification source, but also reveals all the servers in the world running such a potential VPN service.

According to Phenomite, Powerhouse's servers allow a packet amplification factor of about 40 times the input, dramatically increasing the amount of data an attacker can direct at a target website. In the case of a multi-packet attack, Phenomite writes, the amplification factor was about 366 times the input.

The researchers stated that they were able to detect approximately 1,500 Powerhouse-related servers worldwide that could be exploited with this technique.

This allows a relatively small botnet to launch a potentially massive DDoS attack against a well-defended website; a DDoS attack attempts to take a web server offline by bombarding it with large amounts of useless data and impossible requests. DDoS attacks attempt to take web servers offline by bombarding them with massive amounts of useless data or impossible requests.

This attack occurs when the port on the Powerhouse server in question is not used for the more tightly controlled Transmission Control Protocol (TCP) traffic used to transmit most website information, but rather for the relatively loose User Datagram Protocol (UDP) traffic. Datagram Protocol) traffic, rather than the more tightly controlled TCP (Transmission Control Protocol) traffic used to transmit most website information.

Such attacks using Powerhouse's servers do indeed occur, writes ZDNet's Catalin Chimpanu; Tom's Guide could not confirm that such an attack is taking place.

Tom's Guide has reached out to Powerhouse Management for comment.

There is no indication that consumer users of Powerhouse services, including VyprVPN or Outfox, are being compromised by these flaws.

A spokesperson for Powerhouse Management directed us to this VyprVPN blog post posted on February 24.

"We identified the bug and distributed a patch within an hour of 7 p.m. CST on February 22.

"We are confident that no customer information or data was affected or compromised. We have further confirmed that no infrastructure was compromised by any third party and that there was no unauthorized access to VyprVPN's servers."

"During our investigation, we were also unable to identify any critical traffic exploiting the vulnerability, and traffic through these ports was minimal.

"This situation did not affect our entire service, but was limited to a single protocol, Chameleon, which is an innovative protocol designed to defeat strict censorship and VPN blocking, and we continue to push the envelope when designing new technologies. We continue to push the envelope when doing so."