<< Back to article Print this page Loading page, please wait...

New toolkit seeks routers, Internet of Things for DDoS botnet

Antone Gonsalves (CSO (US))
25 September, 2014 23:40

Security researchers have recently discovered a toolkit capable of infecting computers, routers and Internet of Things devices to launch large-scale simultaneous DDoS attacks.

DDoS mitigator Akamai Technologies uncovered the toolkit, dubbed Spike, about six months ago and has stopped attacks against enterprise customers in Asia and the U.S.

One distributed denial of service attack peaked at 215 gigabits per second and 150 million packets per second.

"It was pretty impressive," David Fernandez, head of Akamai's PLXsert lab, said.

The toolkit is unique in that it can infect Linux, Windows and ARM-based systems. As a result, a Spike-based botnet could comprise PCs, servers, routers and Internet of Things (IoTs) devices, such as smart thermostats.

Akamai has not seen any IoTs devices in the botnet it has uncovered. However, the fact that the creators developed binary payloads for ARM and Linux suggests that attacks on IoTs devices is possible.

"They could be subjected to future exploitation and infection for these types of (DDoS) campaigns," Fernandez said.

Also unusual is Spike's ability to launch different types of DDoS attacks simultaneously. For example, attackers could use four separate command-and-control servers to launch against a single target SYN, UDP, GET and Domain Name System query floods.

Akamai believes Spike originated in Asia, because only Mandarin was used in the toolkits the company found.

To block Spike, a company can add infrastructure attack signatures to access control lists. For blocking attacks on the application layer, Akamai has released a SNORT signature.

SNORT is a widely used open source network intrusion detection and prevention system.

Akamai also suggests hardening systems against attacks by keeping patches up to date and following the guidance provided by several organizations, including the SANS Institute, Microsoft, the National Security Agency, the National Institute of Standards and Technology (NIST) and the Open Web Application Security Project (OWASP).

Akamai is also calling on the security research community, including vendors and government and private institutions, to launch a combined effort to cleanup Spike-infected systems while the botnet is still young.

"Unless there are significant community cleanup efforts, this bot infestation is likely to spread," the company said in a threat advisory.