Skip to main content

Linux botnet launched a 150Gbps DDoS attack

A malware managed to launch a DDoS attack at 150Gbps, which is much greater than an average DDoS attack nowadays. It's not the biggest DDoS attack we've ever seen, but what's important to know here is that the malware used poorly configured Linux systems for its attack.

According to researchers at security company Akamai, the malware behind the botnet is known as XOR DDoS. Attackers install it on Linux systems, including embedded devices such as Wi-Fi routers and network-attached storage devices, by guessing SSH (Secure Shell) login credentials using brute-force attacks.

"In short: Xor.DDoS is a multi-platform, polymorphic malware for Linux OS, and its ultimate goal is to DDoS other machines," Blaze’s Security Blog explains the botnet. "The name Xor.DDoS stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs (command and control servers)."

The credentials are used to log into the vulnerable systems and download the malicious code. More than 20 targets are being attacked by the botnet every day, with 90 per cent of them located in Asia. The most frequent targets are in the online sector, followed by the educational institutions.

"A decade ago, Linux was seen as the more secure alternative to Windows environments, which suffered the lion’s share of attacks at the time, and companies increasingly adopted Linux as part of their security-hardening efforts," the Akamai team said. "As the number of Linux environments has grown, the potential opportunity and rewards for criminals has also grown. Attackers will continue to evolve their tactics and tools and security professionals should continue to harden their Linux based systems accordingly."