Attackers have developed a botnet capable of 150+ gigabit-per-second (Gbps) distributed denial of service (DDoS) attack campaigns using XOR DDoS, a Trojan malware used to hijack Linux systems.
According to an advisory from Akamai’s Security Intelligence Response Team (SIRT), 90% of the DDoS attacks from the XOR DDoS botnet are targeted at organizations in Asia—and it launches more than 20 attacks per day.
XOR DDoS is a Trojan malware that infects Linux systems, instructing them to launch DDoS attacks on demand by a remote attacker. Initially, attackers gain access by brute force attacks to discover the password to Secure Shell services on a Linux machine. Once login has been acquired, the attackers use root privileges to run a Bash shell script that downloads and executes the malicious binary.
“Over the past year, the XOR DDoS botnet has grown and is now capable of being used to launch huge DDoS attacks,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks. This happens much more frequently now than in the past, when Windows machines were the primary targets for DDoS malware.”
Akamai SIRT’s research showed that the bandwidth of DDoS attacks coming from the XOR DDoS botnet ranged from low, single-digit Gbps to 150+ Gbps—an extremely large attack size. One of the attacks was nearly 179 Gbps, and the other was almost 109 Gpbs. Two attack vectors were observed: SYN and DNS floods.
The most frequent target was the gaming sector, followed by educational institutions.
“The IP address of the bot is sometimes spoofed, but not always,” explained Akamai, in its report. “The attacks observed in the DDoS campaigns against Akamai customers were a mix of spoofed and non-spoofed attack traffic. Spoofed IP addresses are generated such that they appear to come from the same /24 or /16 address space as the infected host. A spoofing technique where only the third or fourth octet of the IP address is altered is used to prevent ISPs from blocking the spoofed traffic on Unicast Reverse Path Forwarding (uRPF)-protected networks.”