The VPN service Hola, which claims to have more than 9.7 million users, is now selling its access to users' machines as exit-nodes under the Luminati brand.
Described as "the world's largest VPN network", Hola's Luminati brand is advertised as being simple and effective to use: "Route your HTTP, HTTPS or TLS requests to any one of our 'Super Proxies', and they will route the requests through our millions of end nodes."
Users of Hola route their traffic through each others' devices, thus freeing the company from those tricky bandwidth expenses.
Those "end nodes" are idling user devices which have Hola's "free" VPN browser extension or app on them, in another example of users being the product rather than the customer.
As the software only routes traffic through users' devices when those devices are idling, the interruption to the user is minimised.
This, along with the company's less-than-forthcoming approach to explaining how their VPN works, means many of its users do not realise that their machines are the VPN.
Now, following the launch of the Luminati service, access to these users' devices is being sold outside of that user base to businesses, and a poor vetting procedure for those purchasing that access has led to at least one malicious party exploiting those users' machines for an attack.
This was flagged up by Frederick Brennan, founder of 8chan, "a free-to-use board that allows posters to post completely anonymously [where] only content illegal in the USA is deleted", following a spam attack on the site. (Readers should note the site is definitely NSFW beyond the linked page)
Brennan explained to El Reg:
Starting on the 23rd of May, and climaxing on the 25th of May, 8ch.net was slammed with posts from IP ranges normally assumed to be clean – that is, those originating from residential networks and university networks.
The posts were all legitimate-seeming, and due to being from all different IPs 8ch.net's algorithms did not detect an attack and attempted to process all the posts, forcing the web servers to crash.
I had no idea why all these IPs were attacking and assumed someone had rented a botnet just to attack us, but Bui [the attacker] told me in IRC that actually he had signed up for a free trial on luminati.io.
Brennan says it is impossible to distinguish whether a given IP has the Hola VPN software installed or not:
[There's] no tell-tale open port, no special header from Luminati, and no specific range.
This is a huge issue for 8chan, which allows posters to post completely anonymously, and has some protections in place for typically abused ranges (like Tor and VPN ranges) but still allows posts through.
An attacker used the Luminati network to send thousands of legitimate-looking POST requests to 8chan's post.php in 30 seconds, representing a 100x spike over peak traffic and crashing PHP-FPM.
8chan posts are – as is standard for image-board culture – often vulgar, abusive and full of highly off-colour lulz. The site's attitude towards free speech, however, doesn't reduce its need for anti-spam and anti-DDoS measures. Brennan explained that in "using regular IPs that are not on any DNSBLs (DNS blacklists), the Hola network subverted all of our safeguards".
Brennan managed to implement a CAPTCHA as an emergency provision for his site, but this would not prevent against attacks on other forums which have also had their safeguards subverted by the IP-masking VPN.
Ofer Vilenski, the founder of Hola, admitted to The Register that his service was used to attack 8chan.
"In such a case, our VPN network was the infrastructure that he used, and was one of many possibilities he had for an infrastructure," said Vilenski. "We screen users of our commercial network (Luminati) prior to them using it, and in this case [the hacker] got through our screening process, which we have adjusted following this case."