New toolkit seeks routers, Internet of Things for DDoS botnet

Security researchers have recently discovered a toolkit capable of infecting computers, routers and Internet of Things devices to launch large-scale simultaneous DDoS attacks.

DDoS mitigator Akamai Technologies uncovered the toolkit, dubbed Spike, about six months ago and has stopped attacks against enterprise customers in Asia and the U.S.

One distributed denial of service attack peaked at 215 gigabits per second and 150 million packets per second.

"It was pretty impressive," David Fernandez, head of Akamai's PLXsert lab, said.

The toolkit is unique in that it can infect Linux, Windows and ARM-based systems. As a result, a Spike-based botnet could comprise PCs, servers, routers and Internet of Things (IoTs) devices, such as smart thermostats.

Akamai has not seen any IoTs devices in the botnet it has uncovered. However, the fact that the creators developed binary payloads for ARM and Linux suggests that attacks on IoTs devices is possible.

"They could be subjected to future exploitation and infection for these types of (DDoS) campaigns," Fernandez said.

Also unusual is Spike's ability to launch different types of DDoS attacks simultaneously. For example, attackers could use four separate command-and-control servers to launch against a single target SYN, UDP, GET and Domain Name System query floods.

Akamai believes Spike originated in Asia, because only Mandarin was used in the toolkits the company found.

To block Spike, a company can add infrastructure attack signatures to access control lists. For blocking attacks on the application layer, Akamai has released a SNORT signature.

SNORT is a widely used open source network intrusion detection and prevention system.

Akamai also suggests hardening systems against attacks by keeping patches up to date and following the guidance provided by several organizations, including the SANS Institute, Microsoft, the National Security Agency, the National Institute of Standards and Technology (NIST) and the Open Web Application Security Project (OWASP).

Akamai is also calling on the security research community, including vendors and government and private institutions, to launch a combined effort to cleanup Spike-infected systems while the botnet is still young.

"Unless there are significant community cleanup efforts, this bot infestation is likely to spread," the company said in a threat advisory.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags malwaresoftwaredata protectionapplicationsbotnetddosAkamai Technologiesmalware toolkits

More about Akamai TechnologiesARMLinuxMicrosoftNational Security AgencySANS InstituteTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Antone Gonsalves

Latest Videos

More videos

Blog Posts