An anonymous message board was the alleged target of several denial of service (DoS) attacks launched by the free VPN service Hola earlier this week.
Israeli-based Hola is one of the most popular free virtual private network (VPN) providers today. It boasts seven million users of its Chrome extension alone.
However, according to Frederick Brennan, operator of the 8chan message board, a design flaw that allows subscribers to use the VPN freely makes Hola a viable launchpad for DoS attacks.
“When a user installs Hola, he becomes a VPN endpoint, and other users of the Hola network may exit through his internet connection and take on his IP,” Brennan explains in a statement posted on 8chan. “This is what makes it free: Hola does not pay for the bandwidth that its VPN uses at all”
Hola stands in contrast to other VPN services, many of which use their own servers spread around the world to channel users’ Internet connections, and the anonymizing service Tor, which unlike Hola requires that users opt in to be exit nodes in the expectation that they will be channeling unwanted web traffic.
Brennan goes on to explain that the owners of Hola, having realized “that they basically have a 9 million IP strong botnet on their hands,” have begun to sell access to the botnet at https://luminati.io, Hola’s Luminati brand.
Apparently, one of these alleged customers used Hola to launch a DoS attack against 8chan.
“An attacker used the Luminati network to send thousands of legitimate-looking POST requests to 8chan’s post.php in 30 seconds, representing a 100x spike over peak traffic and crashing PHP-FPM,” reports Brennan.
Hola founder Ofer Vilenski has confirmed that the VPN sells its users’ bandwidth commercially and that Hola was used to attack 8chan.
Vilenski has also stated that his company will release the name of the member who used Hola against 8chan in the event that the latter is able to obtain a court order for release of information regarding this week’s attack.