Mitigations for DDoS Toolkit Attacks

Friday, September 26, 2014 @ 06:09 PM gHale


A powerful distributed denial of service (DDoS) attack is now coming from the Spike DDoS toolkit, researchers said. But mitigations are available.

With this toolkit, bad guys are building bigger DDoS botnets by targeting a wider range Internet-capable devices, said researchers at Akamai Technologies, through the company’s Prolexic Security Engineering & Response Team (PLXsert).

RELATED STORIES
New Wave DDoS Attacks
Oil & Gas Firm Attacked
Middle East Petrochem Firms Targeted
APT: In Action for Six Years

The multi-vector toolkit can launch infrastructure-based and application-based DDoS payloads. Attacks include SYN flood, UDP flood, Domain Name System (DNS) query flood, and GET floods. Several campaigns ended up reported against hosts in Asia and the United States.

DDoS attack campaigns launched from the botnet have targeted Akamai customers. One DDoS attack campaign mitigated by the company peaked at 215 gigabits per second (Gbps) and 150 million packets per second (Mpps).

The Spike DDoS toolkit runs on a Windows system, but it can communicate and execute commands to Windows, Linux and ARM-based devices infected with its binary payloads. The ability to generate an ARM-based binary payload suggests the authors of this malicious tool are seeking to control devices such as routers and Internet of Things (IoT) devices (i.e., smart thermostat systems and washer/dryers). The capability to infect and control a broader range of devices could allow DDoS attackers to propagate botnets in a post-PC era.

Most the infrastructure DDoS attacks launched by the Spike DDoS toolkit can end up mitigated by implementing access control lists (ACLs) that filter out unwanted traffic. To mitigate against the toolkit’s application-layer GET flood attack, PLXsert has produced a SNORT signature, which is available in the threat advisory.

The multi-platform infection code in this kit increases the threat’s complexity and sophistication and makes it necessary to apply system hardening measures to each of the targeted operating systems and platforms. Links to industry recommended hardening techniques end up provided to system administrators in the advisory. The advisory also provides a YARA rule to identify bot payloads used to infect devices and make them part of the botnet.

PLXsert anticipates further infestation and the expansion of this DDoS botnet.

The advisory also includes the following information:
• Indicators of binary infection
• Command and control panel
• Toolkit variations
• Bot initialization
• DDoS payloads
• Details of an observed attack campaign
• DDoS mitigation
• System hardening resources.



Leave a Reply

You must be logged in to post a comment.