Linux Botnets Lead in DDoS Attacks

Tuesday, August 9, 2016 @ 05:08 PM gHale


Linux botnets accounted for 70.2 percent of all distributed denial of service (DDoS) attacks in Q2, according to a report from Kaspersky Lab.

Security researchers discovered a DDoS-capable botnet of over 25,000 DVRs running Linux-based firmware, another Linux-based botnet that leverages home routers, and over 100 different botnets based on LizardStresser, a tool developed by the Lizard Squad, also targeting Linux-based IoT equipment.

RELATED STORIES
Insider Attacks Present a Danger
Security from Beginning Adds Value
No Security Plan in Place for Companies
ICS Components Still Connected to Internet

Nevertheless, the number is a little higher than previously expected, with Linux botnets accounting for 44.5 percent in Q1, 54.8 percent in Q4 2015, and 45.6 percent in Q3 last year.

Besides the proliferation of insecure IoT devices that have simplified the task of searching and building a botnet, Linux bots are also the most appropriate tool for launching damaging SYN DDoS attacks, which was this quarter’s most popular method of DDoS attacks overall, followed by TCP, HTTP, ICMP, and UDP floods.

The longest DDoS attack in Q2 2016 lasted for 291 hours (or 12.1 days). During the quarter, Tuesday was the most active day of the week for DDoS attacks (15.2 percent of attacks), followed by Monday (15.0 percent). Thursday, which came second in Q1, fell one place to 13.6 percent. Sunday became the quietest day of the week in terms of DDoS attacks (13 percent).

As for the source of the attacks, 77.4 percent of all the targeted resources ended up based in China. As a matter of fact, 97.3 percent of all attacks targeted only ten countries: China, South Korea, the U.S., Ukraine, Vietnam, Russia, Hong Kong, France, Japan, and the Netherlands.

When it comes to the countries where most botnet C&C servers ended up located, South Korea led the way, hosting 69.6 percent of all command and control infrastructure. China followed at 8.1 percent, the U.S. (7.1 percent), Russia (4.5 percent), and Brazil (2.3 percent).

In Q2, the timeline of DDoS attacks was uneven, with a slow April and May and a very busy June, not to mention one day in June when Kaspersky detected 1,676 different DDoS attacks.

The longest attack lasted for 291 hours, which beat Q1’s record of 197 hours. That’s just about 12 days of constant DDoS attacks, which most likely caused a huge downtime and lots of financial losses to the company that received all the junk traffic.

Click here to download the report.