NordVPN is not running a botnet

The popular internet privacy service NordVPN published a blog post earlier this week denying allegations that they are harvesting user data and operating a botnet through their VPN client. Nord invited their users to see for themselves that there’s no validity to the charge by using Wireshark, so I took them up on it. Here’s how you can do the same.

The legal filing against Tesonet

Apparently a recent lawsuit kicked off Nord’s campaign to defend themselves from their online accusers. The suit, which was filed in Texas court against Nord’s partner Tesonet, alleges that NordVPN ripped off a competitor’s technology and used it to build a botnet that would force Nord users to act as exit nodes.

Correction: An earlier version of this article incorrectly stated Hola’s lawsuit was against NordVPN. The lawsuit was filed against Tesonet, a partner of NordVPN.

The company that Tesonet allegedly stole from is none other than Hola, who made news in 2015 after it was shown that the formerly-popular free VPN provider had an insecure backdoor in their VPN client, among many other things. This is significant, because Hola’s fall from grace was major news at the time, and if Nord were doing the same thing it would seriously tarnish their credibility.

So I fired up Wireshark and discovered that Nord is absolutely not engaged in building any sort of botnet, and clearly is not doing what Hola did and continues to do.

Checking for a Hola-style malware botnet

In order to come to that conclusion, I connected to the NordVPN client and started Wireshark. I set Wireshark to capture traffic on the encrypted connection that Nord creates when it’s installed.

Nord BotNet Test

I let the session run for five minutes with Chrome closed to ensure that any traffic being generated was coming from a system service and not my own browsing. You can see from the capture that my private IP address is in the 10.8.8.0 subnet, which is what Nord’s clients use.

Over the course of those five minutes, Plex media server, which I have installed and running, exchanged a message back and forth with the plex.tv backend.

I also tested the current version of Hola, so I could see for myself if the traffic matched up with the allegations in the lawsuit. I ran the capture in exactly the same way, five minutes with my browser closed.

Hola BOTNET Test

A minute or so after the installation was complete, Hola started sending requests from my computer to the web. It mostly hit advertising servers, which makes me wonder whether or not Hola’s paying customers—the ones with access to free VPN users’ bandwidth—may be using Hola to inflate their own ad revenue.

Regardless, you can see the difference. In my opinion, there is absolutely no way that NordVPN is running a botnet using Hola’s intellectual property.

Does that really mean they aren’t spying on you?

Some other VPN providers have been accused of sniffing their users’ secure connections and providing the information to law enforcement. No allegations of monitoring connections in this way have been leveled against Nord, but I was already checking things out so I decided to see for myself.

Checking for promiscuous mode with NMap

NMap ships with a script called sniffer-detect that sends malformed ARP packets to a host, then reports whether or not these packets were rejected.

A network adapter running in promiscuous mode will behave oddly in some circumstances, saving packets that would otherwise be rejected, because the driver is instructing the network adapter to pass all traffic along to the CPU for logging.NMAP host Script ResultsI ran sniffer-detect on the NordVPN server I was connected to and could find no evidence that Nord has promiscuous mode enabled.

Note that I used a custom version of the script which I changed to make it display results even if the host isn’t running in promiscuous mode. In the original version, secure hosts display no results.

NordVPN doesn’t seem to be collecting user data

Based on my testing, I don’t see any evidence that NordVPN is harvesting user data or running a botnet. The lawsuit seems to me to be baseless, and part of a broader smear campaign against NordVPN.

I reached out to Nord for comment and asked them about the recent allegations. Here’s what I was told:

“Hola VPN used their clients as an exit nodes to perform a web scraping. That means that users’ devices were used as proxies to send requests to the desired websites. Such behaviour can easily be checked and verified, all requests made by our apps are required for the service to properly operate, that’s it. NordVPN users have never been abused in any way, their traffic was never logged at any point of their connection.”

I also pushed them for clarification as to what ‘no logging’ really means, and Nord’s spokesman told me, “We do not log any traffic nor connection logs at any point, nor app, nor server level, nor anywhere in between. We don’t even troubleshoot our servers if something happens. If we’re noticing that any of our supported protocols aren’t working as they should, we immediately remove a server from production and only then investigating the issue.” [sic]

In my opinion, NordVPN is completely safe to use. But if you’re on the fence, install Wireshark and see for yourself. When you look at NordVPN and Hola side-by-side, the difference is clear.

Disclosure: NordVPN is an affiliate of Comparitech. Read more.