Should We Worry That Hola Is Being Used For DDOS Attacks?

Should We Worry That Hola Is Being Used For DDOS Attacks?

The Hola VPN's secure, anonymous browsing platform can be used for countless privacy breaches - but are peer-to-peer networks truly to blame?

Between all the web security breaches and NSA data-collecting happening these days, it's no wonder some users have turned to services like Hola or Tor. These clients were designed around anonymity and security, redirecting web traffic to conceal the location and IP addresses of users while protecting confidential information. That didn't sound bad for the privacy-minded, at least until Hola was confirmed as the source of a DDOS attack on 8chan. This was followed by a report by the research group Adios, which outlined several security flaws within Hola that allowed its users initiate DDOS attacks. The report - which was promoted across 8chan - called for its users to uninstall the service since it posed too great a risk.

Okay. Let's break this down a bit.

First of all, we need to look at how Hola operates. The key issues revolve around Hola's peer-to-peer network. Once you're connected to Hola, the client routes all internet traffic through the IP addresses of other users before it reaches your local device. This process helps you maintain anonymity (since no one online sees your actual IP address) while accessing geographically region-locked websites (if there are IP addresses within the region).

From there, we can look at Hola's security concerns - and in fairness there are several. Adios' report correctly outlines that Hola's code allows for remote code execution and client-enabled tracking, something a secure VPN shouldn't allow. What's more, Hola's service was actually used to initiate a DDOS attack: The company sells network access through its Luminati offshoot, giving anyone access to an "almost unlimited number of real IPs" that can be used for DDOS and sending spam emails. These are issues that must be corrected - and in fact, Hola recently updated its client to address many of the stated problems.

But the report goes a step further by saying Hola's entire peer-to-peer network poses a major security risk - and uses child pornography to make its point. In its most dramatic example of why Hola is terrible, Adios states that if someone downloads child pornography through the client, your unaffiliated IP address might be the one which routes it. So while you're using Hola to support a "secure" internet, the police might instead show up at your door with some very telling questions about your browsing habits.

To be clear, these are all valid concerns - even the child pornography example, which could be cleared up easily with a standard computer search. (Nobody wants to be falsely accused of downloading child porn while police tear through their personal data.) But blame peer-to-peer networks on principle? Hola isn't risky because it's P2P; it's risky because it's not secure - and to be honest, that probably wasn't intentional on Hola's part.

It's worth remembering that in 2015, we use P2P networks all the freaking time. Do you play World of Warcraft? That download client routes your update through public IP addresses. Do you make calls on Skype? It uses a similar system to manage your calls. These aren't the days where questionable file-sharing applications like Kazaa come bundled with malware - everyone from Spotify to the US Department of Defense dabbles in peer-to-peer.

To be clear, there are absolutely legitimate concerns when securing P2P networks. But let's not act like Hola is alone with that problem - it's just the client that happens to have bigger security holes than most.

Source: Ars Technica


Well from the report it looks like thats one VPN i wont be used due to its security flaws. As far as using things for DDoS goes, Hola should find who is doing that and deny them access to their service (lets be honest here, noones going to catch these guys and noones going to put them in prison).

If somone downloads child pornography using this its on them. They are violating the law, not Hola. If i were to upload a child porn picture as an avatar i would be the criminal, not the escapist. same principle here.

This would be the ideal time for someone to make a new one, seeing as Hola was the only free client that I know of. People I know mostly used it for watching stuff that was requiring you to live in certain areas and now that method is gone.

Well, OK. Exploiting it's flaws is one thing that needs to be addressed.

However, it's in the nature of a service that allows you to act anonymously online that sooner or later it's probably going to draw people with dubious intentions.
That's not preventable, because the reason those people are drawn to using such a service is the very thing that makes anyone want to use it.

The promise of being difficult to identify or track down.

Of course, that aside, if there are flaws or problems with the service that make it possible to do other bad things as a side effect, then that's a different kind of problem, and probably should be dealt with...

Just a note, client no longer uses P2P. They phased it out.


Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
Register for a free account here