agsandrew - Fotolia

Linux botnets on the rise, says Kaspersky DDoS report

DDoS attack data collected by Kaspersky Lab shows a greater proportion of attacks are coming from hijacked Linux servers and attacks are tending to last longer

The number of distributed denial of service (DDoS) attacks carried out by Linux botnets almost doubled from the first quarter to 70% of the total in the second quarter, a report reveals.

As a result, the proportion of DDoS attacks using the SYN flood DDoS attacks has increased because Linux tools are the most effective tool for this method, according to the latest report by Kaspersky Lab.

The attack involves having a hijacked Linux client repeatedly send SYN (synchronisation) packets to every port on a server using fake IP addresses, “flooding” a server with requests.

While transmission control protocol (TCP) and hypertext transfer protocol (HTTP) DDoS attacks also remained popular, SYN flood attacks increased 1.4 times compared with the first quarter.

This was the first time Kaspersky DDoS Intelligence registered such an imbalance between the activities of Linux- and Windows-based DDoS bots.

“Linux servers often contain common vulnerabilities, but not protection from a reliable security solution, making them prone to bot infections,” said Oleg Kupreev, lead malware analyst at Kaspersky Lab.

“These factors make them a convenient tool for botnet owners. While attacks carried out by Linux-based bots are simple, they are effective and can last for weeks without the owner of the server knowing it is the source of an attack,” he said.

By using a single server, Kupreev said cyber criminals can carry out an attack equal in strength to hundreds of individual computers.

“That’s why companies need to be prepared in advance for such a scenario, ensuring reliable protection against DDoS attacks of any complexity and duration,” he said.

Read more about DDoS attacks

The quarter also saw an increase in the duration of DDoS attacks. While the proportion of attacks that lasted up to four hours fell from 68% in the first quarter to 60%, the proportion of longer attacks grew considerably.

Attacks lasting 20 to 49 hours accounted for 9%, up from 4% in the first quarter, and those lasting 50 to 99 hours accounted for 4%, up from just 1% in the first quarter.

The longest DDoS attack in the second quarter of 2016 lasted 291 hours (12 days), a significant increase on the first quarter maximum of eight days.

Command and control servers

According to the report based on data collected by Kaspersky Lab’s DDoS Intelligence system, which is is designed to intercept and analyse commands sent to bots from command and control (C&C) servers, the number of attacks on resources located on Chinese servers grew considerably.

Meanwhile, Brazil, Italy and Israel all appeared among the leading countries hosting C&C servers.

During the second quarter of 2016, DDoS attacks affected resources in 70 countries, with targets in China suffering the most (77%). Germany and Canada both dropped out of the top 10 rating of most targeted countries, replaced by France and the Netherlands.

South Korea remained the clear leader in terms of the number of C&C servers located on its territory, with its share amounting to 70%. This top 10 ranking also included Brazil, Italy and Israel, with the number of active C&C servers hosted in these countries almost tripling.

Read more on Hackers and cybercrime prevention