Skip to content
master
Switch branches/tags
AMP-Research/Port 20811 - Powerhouse Management VPN/
Go to file
AMP-Research/Port 20811 - Powerhouse Management VPN/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
. .
README.md
 
 
phmgmt.c
 
 
phmgmt_20811.pkt
 
 
"PHMGMT" Powerhouse Management, Inc - VyprVPN and Outfox Port: 20811 Proto: UDP Data Amplification factor: ~40x Packet Amplification factor: 1-50x Effective Amplification Average: 366x Reflector count: ~1,520 (Feb 2021) Patching has been rolled out by Powerhouse Example Requests / Responses Documentation Mitigations

README.md

"PHMGMT" Powerhouse Management, Inc - VyprVPN and Outfox

Port: 20811

Proto: UDP

Data Amplification factor: ~40x

Packet Amplification factor: 1-50x

Effective Amplification Average: 366x

Reflector count: ~1,520 (Feb 2021)

Patching has been rolled out by Powerhouse

Updated scan result 2021-02-25 yields no reflectors left active! Well done.

Powerhouse Management products - either Outfox (a latency reduction VPN service) or VyprVPN (a general vpn service) are exposing an interesting port - port 20811 which provides a massive data and packet amplification factor when probed with any single byte request.

Not only does this mean Powerhouse servers can be used as a DDoS amplification source, but reveals all servers around the world that are running such potential VPN services - which removes the privacy factor somewhat.

In testing, Powerhouse Management ISP owned servers were not present on Shodan at all, however responded to our probes with varying degrees of amplification. All response IP's had the hostname of "undefined.hostname.localhost"

  • Packet amplification = 1 : 1-50
    • Very unstable, sometimes no response at all (not a rate limit)
    • Average was 9 packets across 100 test IPs
  • Data amplification average = ~40x
  • Multi-packet average effective amplification = 366x
    • NTP vibes anyone?

Example Requests / Responses

  • Request: 1 data bytes

    • ASCII: [NULLBYTE]

    • > ~# echo -ne '\x00'|nc -u 128.90.242.100 20811 -w2|xxd -p

  • Response: One packet Avg 1030 bytes (multi-packet)

    • ASCII character space:

      aA\a8\83RL\a4\02\c3}\1d \98\b4\f0 E\c4\86\95\e2\9e\d7\d7\a9\11\a6\00\99\fa-P\de\a9\ee\e6\f6\c8\de^\df4s\06\d9\10\d0\b3i \adi\91Z\88\a4\b8\f5d\ba\9a\eeb!q\a0t\c0\e1z\12\d7\be\01\7f\89XL\a0\f3R\8d4\cf\00\d5\87\0f\c4\ff\e1\tC\ac@\ee\f4\15\e6Rv\a7\85\cbbb\b4$\a3\bc\c6\16Vs%g\92l\1b\ef#\c1\82Z\bd\be\d4\81\ae\b4\cd\06X\c0\81/T\bf\8b\8c\01x\81f9fl-\de\f0T\1d\d9\fa"G\e5\cej\82\1f\b1\82\17\17\f0\ea\0b\15\f6\01MR\95e\f43\c1\e3,\c0\047dX\dd\99\8b\88\e0\b2\ea$~\96\85\e9k\86\90b\11"\bf\b7X|T\19\d54\ae\1a\f9K\90\94\c6 2\1e\f2m\da\db\ea\00Q\92\c9\06V6cX\91\93\b4\e1\e9?(\f3%\87\1dcFs\7f\bc\18\01\e9\e0;5\b3Hb9_\95\c9\d2\bd\ae\e5\e4SEI/\bb\f3\0c\t\c0}\af\ac\c9J\c5\bdNU\f5\f8\ac\bb\87\d4\a9\c6*\f5!\e2U\bb=\c7\aaa.\b9\9c\a4fT\d2\b9\c6\a5\ba\8c\c1]\1f\t%\n\c6\d1\a1\aeh-\d7\da\dd\f4\d5\bc\cf"\ea=4.OQ\b6\91\c7#J\14\a982W}\01\ca'Z4\df\ce"X\cf\98\f4\b2/\c8i\b58sY$r\c8\8d\d7\92\b7-j\d8*|\a4XB\fbV\03-\d8\f04\9a+\b8\bc\d1\ed\e0\86L\8fA\03\aa\d0\84+\d1sP\dc\d7p=*\cb,a\d0-\7f\1cm%\0f\f3<\fe\ec.\rv.\16\f6\n\r[\aa\17d\f2\f8p[\f0h\a2\9f\d4R=\fe\8b\01<H_\8e{=\f1\ff\f6$@'{$2\0eK\1e%\8a64&\ea\t)\88\b0W+\ab\ca\d1G\03\dc\06\e0\03k\19\c2\0b]\a7\00'b"\abv\d1|\b0\ac\cds\13\a6\8eV\c4p\a3\d7\d0\fa\bc\d1\06\een\fd-H\da\d5k\a4Rw\fb\81\c3|R}\da\d0\1at\82O\80\f1hE}\f8\08\ce\18W\aa\d2m\94R\b7\ddv\cem\ffF\e6\a8\8a\b3~]b\82F\f8\c9!\d0\d7i\dc\d51\c5\c3,\ffK\9f\aa\cah[i\8dh,4\fe\e6z\1c3\c62\f9!\9f\06\a5\8a\ae\bf\c8\c3\e5\b9\12\1fM\c0\b4&\1f*\9d\a5Y\a5\d7\af\ba|\d6\8fA\\8\83\f0\95g\d9"\84R\da\f9\d9\9f\e8\96\b73\7fp\ee\0e_+0HeKO\19\afK=\df\94\cd\0b6\r\b02\1da\95m\b9[w\cb=(\r9\9a\dbp\c42\a1$Z\db\14\0c\89\e1f+\bb9(\e8yQB>\d0\cclfs5:Y|\ba\02\a4!\b6\ab\1a\bf\f5IK\c2\e9\06]\ec?\ad\05\af\84\e9O\93\f1\c5\b2]\16p4Z\cc9\a5B\c3N\bab\02cF\eaHD\f7\cf\d7?\c0\02.\92\8c|0\de^\af\06_h\b7o\c7\f5O'\9f\80Z\87N\d1\10\90\1a\18\0f% \8f\1d\c5:\89\85>h\17-S\d3\8c7\9dR\9a\b8LLg\a3\f8\d4\87\16\dd\00\8e\88\a4\a1iX\93c\b7\c7\18\cc\87\df\a6\e73\ef\c4\a2\c2\a0\0fG\d1\1c\d7H\d8\8c\cbH\a2<\c4kp\f3\ed\b0\11\9c\0f;\dc\7f\bcu\16]\eaD|Q\0f\b8\t\81\08).vOw\c8\dd\9f\a3\bb4/\aep\81\cfI\04\a4\e2S\83}*\fe\83\80\11\b3@\8e\e7\e2(\c6b\95p\1e\8d\dd\c1W\df4S\9c\ab\02\d5\b3\8fg\c8\0c\ee\ebp\99\e7\98\af\e1x}\8d=\e3\e9\e7\81\94\8a\1e\11S\f9\fe'\d2d\rY\b7j6M\ce#,\b3\0f\b0\t\19ZL\b7X\b5\12\c6\ea5]\b0\02\adU\dd\a02\a0\c5\94\aa/\e8\0e/p\e2>\efE\ccO:\c4a\a9\ee\cfC\d4\b0\aeTc-\84YDl\e2w\c9\e0w\b9\1c^\93(\1b\db\f5\0f\a4\ea\af\89t-ADL\a67\95SS\0f\b4\99&\b7{\ba\ce\\L\f4\85\c4\1c\fb[\1c\93\e8\19qv8\a2\8b\n\bd\163X\cb\00/\bc\ee8\8bv\b2\14\ed\b3:5\f8\1e\84M\a6C\85k\19\ec\d04,Q\e5\15Ct\1c\0b;\d5\01(\deR\a3\fa\ef5B\a9\a3tJ\b6\b3\87sQ\83\16\92\e9\da [)\1b0R\t\ad^y\e2\bd\e5R\bbx\b9;\1e\10\n\fd*zQ\df\e9\d8\c7\19\14\ac\c1\9f4\fcnq\19\98\e7[~\d1(i\d1\9c&kN\f2\c5k5\cf0Vl\85\c5j\t\dd\03(\11\04\nG\bf\82\a2\8b\88\c1#\ff88\cbp\ce>#\ce\c2\b4\0e\87\c8\9b\13{\82g(*\14\ca\ffl0\cb\d1x\b8(\dd\d3\90\ee\ad\e5\f9\04\16

    • Raw bytes (example only because data is random - probably encrypted):

      6141A883524CA402C37D1D2098B4F02045C48695E29ED7D7A911A60099FA2D50DEA9EEE6F6C8DE5EDF347306D910D0B36920AD69915A88A4B8F564BA9AEE622171A074C0E17A12D7BE017F89584CA0F3528D34CF00D5870FC4FFE10943AC40EEF415E65276A785CB6262B424A3BCC61656732567926C1BEF23C1825ABDBED481AEB4CD0658C0812F54BF8B8C0178816639666C2DDEF0541DD9FA2247E5CE6A821FB1821717F0EA0B15F6014D529565F433C1E32CC004376458DD998B88E0B2EA247E9685E96B8690621122BFB7587C5419D534AE1AF94B9094C620321EF26DDADBEA005192C906563663589193B4E1E93F28F325871D6346737FBC1801E9E03B35B34862395F95C9D2BDAEE5E45345492FBBF30C09C07DAFACC94AC5BD4E55F5F8ACBB87D4A9C62AF521E255BB3DC7AA612EB99CA46654D2B9C6A5BA8CC15D1F09250AC6D1A1AE682DD7DADDF4D5BCCF22EA3D342E4F51B691C7234A14A93832577D01CA275A34DFCE2258CF98F4B22FC869B5387359247260C88DD792B72D6AD82A7CA45842FB56032DD8F0349A2BB8BCD1EDE0864C8F4103AAD0842BD17350DCD7703D2ACB2C61D02D7F1C6D250FF33CFEEC2E0D762E16F60A0D5BAA1764F2F8705BF068A29FD4523DFE8B013C485F8E7B3DF1FFF62440277B24320E4B1E258A363426EA092988B0572BABCAD14703DC06E0036B19C20B5DA700276222AB76D17CB0ACCD7313A68E56C470A3D7D0FABCD106EE6EFD2D48DAD56BA45277FB81C37C527DDAD01A6074824F80F168457DF808CE1857AAD26D9452B7DD76CE6DFF46E6A88AB37E5D628246F8C921D0D769DCD531C5C32CFF4B9FAACA685B698D682C34FEE67A1C33C632F9219F06A58AAEBFC8C3E5B9121F4DC0B4261F2A9DA559A5D7AFBA7CD68F415C3883F09567D9228452DAF9D99FE896B7337F70EE0E5F2B3048654B4F19AF4B3DDF94CD0B360DB0321D61956DB95B77CB3D280D399ADB70C432A1245ADB140C89E1662BBB3928E87951423ED0CC6C606673353A597CBA02A421B6AB1ABFF5494BC2E9065DEC3FAD05AF84E94F93F1C5B25D1670345ACC39A542C34EBA62026346EA4844F7CFD73FC0022E928C7C30DE5EAF065F68B76FC7F54F279F805A874ED110901A180F25208F1DC53A89853E68172D53D38C379D529AB84C4C67A3F8D48716DD008E88A4A169589363B7C718CC87DFA6E733EFC4A2C2A00F47D11CD748D88CCB48A23CC46B70F3EDB0119C0F3BDC7FBC75165DEA447C510FB8098108292E764F77C8DD9FA3BB342FAE7081CF4904A4E253837D2AFE838011B3408EE7E228C66295701E8DDDC157DF34539CAB02D5B38F67C80CEEEB7099E798AFE1787D8D3DE3E9E781948A1E1153F9FE27D2640D59B76A364DCE232CB30FB009195A4CB758B512C6EA355DB002AD55DDA032A0C594AA2FE80E2F70E23EEF45CC4F3AC461A9EECF43D4B0AE54632D8459446CE277C9E077B91C5E93281BDBF50FA4EAAF89742D41444CA6379553530FB49926B77BBACE5C4CF485C41CFB5B1C93E819717638A28B0ABD163358CB002FBCEE388B76B214EDB33A35F81E844DA643856B19ECD0342C51E51543741C600B3BD50128DE52A3FAEF3542A9A3744AB6B3877351831692E9DA205B291B305209AD5E79E2BDE552BB78B93B1E100AFD2A7A51DFE9D8C71914ACC19F34FC6E711998E75B7ED12869D19C266B4EF2C56B35CF30566C85C56A09DD032811040A47BF82A28B88C123FF3838CB70CE3E23CEC2B40E87C89B137B8267282A14CAFF6C30CBD178B828DDD390EEADE5F90416

Documentation

Mitigations

  • Attempt to get in contact with powerhouse to patch this intended or unintentional port leak.
  • Block ranges associated with Powerhouse AS if under attack by this method, 128.90.0.0/16 is the most egregious reflector range.
  • Block srcport 20811 as it is not assigned with IANA.