Linux botnets are on the rise

A new report from Kaspersky Lab on botnet-assisted DDoS attacks shows a steady growth in their numbers the second quarter of this year.

SYN DDoS, TCP DDoS and HTTP DDoS remained the most common attack scenarios, but the proportion of attacks using the SYN DDoS method increased 1.4 times compared to the previous quarter and accounted for 76 per cent.

This is due to the fact that the share of attacks from Linux botnets almost doubled (to 70 per cent) - and Linux bots are the most effective tool for SYN-DDoS. This is the first time that Kaspersky DDoS Intelligence has registered such an imbalance between the activities of Linux- and Windows-based DDoS bots.

"Linux servers often contain common vulnerabilities but no protection from a reliable security solution, making them prone to bot infections", says Oleg Kupreev, lead malware analyst at Kaspersky Lab. "These factors make them a convenient tool for botnet owners. Attacks carried out by Linux-based bots are simple but effective; they can last for weeks, while the owner of the server has no idea it is the source of an attack. Moreover, by using a single server, cybercriminals can carry out an attack equal in strength to hundreds of individual computers. That's why companies need to be prepared in advance for such a scenario, ensuring reliable protection against DDoS attacks of any complexity and duration".

Among the report's other findings are that the number of attacks on resources located on Chinese servers grew considerably, while Brazil, Italy and Israel all appeared among the leading countries hosting Command and Control (C&C) servers.

DDoS attacks affected resources in 70 countries over the report period, with targets in China suffering the most (77 per cent of all attacks). Germany and Canada both dropped out of the top 10 rating of most targeted countries, to be replaced by France and the Netherlands.

South Korea remains the clear leader in terms of the number of C&C servers located on its territory, with its share amounting to 70 per cent. This top 10 ranking also included Brazil, Italy and Israel as the amount of active C&C servers hosted in these countries nearly tripled.

The report also identifies an increase in the duration of DDoS attacks. While the proportion of attacks that lasted up to four hours fell from 68 per cent in Q1 to 60 percent in Q2, the proportion of longer attacks grew considerably - those lasting 20-49 hours accounted for nine per cent (four per cent in Q1) and those lasting 50-99 hours accounted for four per cent (one per cent in Q1).

The longest DDoS attack in Q2 2016 lasted 291 hours (12 days), a significant increase on the Q1 maximum of eight days. You can find out more in the full report which is available on the Kaspersky Securelist website.

Photo credit: Gunnar Assmy / Shutterstock