Linux-operated botnet Distributed Denial of Service attacks surged in this year’s second quarter, due to growing interest in targeting Chinese servers, according to a Kaspersky Lab report released this week.
South Korea kept its top ranking for having the most command-and-control servers. Brazil, Italy and Israel ranked among the leaders behind South Korea for hosting C&C servers, according to Kaspersky Lab.
DDoS attacks affected resources in 70 countries, with targets in China absorbing 77 percent of all attacks. Germany and Canada dropped out of the top 10 most-targeted countries, replaced by France and the Netherlands.
The Linux server is the go-to platform for orchestrating DDoS attacks because of its latent vulnerabilities, said Charles King, principal analyst at Pund-IT. A common problem is that they are not protected by reliable security solutions.
“That makes them prime targets for hackers, especially those that leverage C&C servers to centrally manage and carry out DDoS attacks,” he told LinuxInsider. “Deploying leading security solutions, as well as utilizing and updating established Linux distros, can go a long way to protecting against these issues.”
Hardware to Protect
All devices are vulnerable — servers and desktops running any flavor of Linux, along with switches, routers, ADSL modems, wireless devices and cars.
Internet of Things devices running embedded Linux also are vulnerable, said Oleg Kupreev, lead malware analyst at Kaspersky Lab.
“The main reason is in most cases it is hard to update or reconfigure vulnerable software ASAP — especially on highly loaded, critical servers — or to update outdated software that is not supported by manufacturer devices,” he told LinuxInsider.
Companies that rely on Linux servers must protect them against this growing threat. For Linux servers, it is very important to harden, or tweak, the security of the system, Kupreev said.
It’s important to understand and implement SELinux, keep the software and the kernel up to date, and adopt a strong password policy, he explained.
It appears that nothing much is new about the methods hackers used in their recently stepped-up activities.
“We don’t see any changes in tactics. Brute-forcing passwords, exploiting common vulnerabilities in Web applications, hijacking or sniffing wireless communications — these are old and well-known threats, said Kupreev. “Of course, each year we see some new threats, like remote-controlled cars — but it’s not a trend, it’s just a reality.”
SYN DDoS, TCP DDoS and HTTP DDoS remained the most common attack scenarios in the second quarter, according to Kasperky’s report.
The share of attacks from Linux botnets almost doubled, to 70 percent.
The proportion of attacks using the SYN DDoS method increased 1.4 times, compared with the previous quarter, accounting for 76 percent.
For the first time, there was an imbalance between the activities of Linux-based and Windows-based DDoS bots, based on the report’s findings. Linux bots are the most effective tool for SYN-DDoS.
“Linux is becoming more commonplace and is used in most embedded systems,” noted John McCarty, CISSP and senior security consultant at AsTech Consulting.
“These implementations often are not hardened or patched and upgraded regularly, which has led to these systems being compromised and becoming a part of a botnet,” he told LinuxInsider.
Time Matters Too
The duration of the DDoS attacks has increased, Kaspersky’s report shows. For instance, the proportion of attacks that lasted for up to four hours fell from 68 percent in the first quarter of this year to 60 percent in the second quarter.
The proportion of longer attacks grew considerably. Those lasting 20-49 hours accounted for 9 percent (4 percent in Q1) and those lasting 50-99 hours accounted for 4 percent (1 percent in Q1).
The longest DDoS attack in Q2 2016 lasted 291 hours (12 days), a significant increase from Q1’s longest attack, which was eight days.
Linux can be an extremely secure operating system, according to AsTech’s McCarty. When it is properly configured and locked down, Linux can be hardened to withstand many of the current exploits and attacks.
“However, this reputation can lead to some administrators feeling that these systems are inherently secure and do not need the level of configuration and attention necessary to protect the systems from attack,” he said.
Another factor that encourages hackers to exploit Linux loopholes is the lack of security professionals and security software to maintain systems properly, said Dodi Glenn, vice president of cybersecurity at PC Pitstop.
“These systems usually host services, which can be used to reflect malicious activities,” he told LinuxInsider.
Linux is not inherently insecure, and it has become ubiquitous, observed Weston Henry, website security research analyst at SiteLock.
“The number of cloud servers and devices running Linux/BusyBox online with security as an afterthought may lead to insecure devices and services,” he told LinuxInsider.
Treating the Cause
Companies must ensure they are hiring the right people to maintain the Linux systems, said PC Pitstop’s Glenn, and proactive security is key.
“When securing these systems, create a baseline of the system or a profile of the system, noting its usage of resources in normal operation modes,” he advised.
Organizations using Linux should ensure the systems are patched, securely configured and hardened, so that unnecessary services and applications are not running or even installed on them. It would help to toss in an intrusion prevention system and next-generation firewall as well.
“This will help minimize the overall attack surface of these systems, limiting the ability of a hacker to take over the system and use it within a botnet or for any other purpose,” said McCarty.
DDoS attacks still seem to be about quashing competition — from online gaming and gold farming sites in the past to bitcoin sites now, noted SiteLock’s Henry. The uptick in Linux botnets stems partly from the stated router and set-top box compromises.
“A decreased barrier to entry into cloud servers and services may also add to the vulnerable pool,” he said. “Consider security during system design. That is, design security into the system instead of adding it on after deployment.”
Other steps to take prior to launch, according to Henry, include assessing network and hosting services for DDoS robustness; beginning a relationship with a DDoS mitigation service; having a DDoS mitigation plan in place; and using a robust content delivery network to take any initial brunt.