Incident Response, TDR

DDoS attacks rally Linux servers

A significant string of distributed denial-of-service (DDoS) campaigns during the second quarter of 2014 were driven by Linux web servers that were compromised and infected by IptabLes and IptabLex malware, according to a threat advisory from Akamai's Prolexic Security Engineering & Research Team (PLXsert). 

“The .IptabLex/s threat is extensive,” Greg Lindor, lead malware analyst for the Akamai PLXsert team, told SCMagazine.com in Thursday email correspondence. “This threat is being used to take part in DDoS campaigns with significant size and reach.”

Researchers at PLXsert observed and measured the attacks, which exploited a number of vulnerabilities, including Apache Struts, Tomcat and Elasticsearch, on unmaintained servers. Stuart Scholly, senior vice president and general manager of Security Business Unit at Akamai, in a press release, urged Linux admins “to take action to protect their servers.”  

Linux is not usually targeted in large scale DDoS attacks, Lindor noted. These types of actors typically seek “the route of least resistance…when building a botnet of significant size.” 

Payloads called .IptabLes or IptabLex are located in the /boot directory and when rebooted run an .IptabLes binary. The infected system contacts a remote host via self-updating feature to download a file.

“As far as DDoS payloads, the .IptabLes threat is very similar to other DDoS related bot threats,” Lindor said. “What is new is the way this threat it being propagated and the targeted victims.”

Researchers said that in the lab, the infected server tried to contact two IP addresses in Asia. While the bulk of past DDoS bot infections have come out of Russia, more recently many have been found to originate from servers hosted in the U.S. But the command-and-control centers (C2, CC) for the two payloads are located in Asia.

Researchers at PLXsert believe that the DDoS botnet will expand and cause further infestation.

Troubling to researchers is the targeting of Linux servers. Linux is not usually targeted in large scale DDoS attacks. These types of actors typically seek “the route of least resistance…when building a botnet of significant size,” Lindor said. 

Noting that “Linux is usually considered the Operating System of choice to build systems running many of our web related services,” Lindor said that “the focus on targeting Linux systems to perform large scale DDoS attacks is relatively new and uncharted territory for these types of actors.”  After unrestricted access is gained “by any means the whole system is considered compromised,” he said. Simply hardening operating systems, then, “is no longer sufficient,” but rather “correctly configuring the services being [run] on these platforms is the first line of defense against threats like .IptabLes/x.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.