Web servers based on both Linux and Windows are rapidly being targeted by attackers and turned into server-side botnets capable of high-bandwidth denial-of-service attacks, two security firms stated in recently published analyses.
On one hand, attackers are targeting unpatched or poorly-maintained Linux systems, exploiting known vulnerabilities and installing bot software to conscript the computers into a server-side botnet, according to an advisory released on Sept. 4 by Prolexic, a subsidiary of content-delivery provider Akamai. Yet, Windows servers are not immune.
A recent attack against a client of Website security firm Sucuri used 2,000 servers to send a flood of packets to the victim's network. Web servers running on Windows 7 and 8 accounted for almost two-thirds of those systems, the company stated in an advisory. In the past, Sucuri had usually seen traffic from botnets created by consumer desktop and laptop systems, CEO and co-founder Tony Perez told eWEEK. "This was different because of the anatomy of the network," he said. "Normally, we see attacks coming from notebooks and desktops and PCs, but now Web servers are doing the denial-of-service." By using Web servers, "the attackers have more horse power available to them, allowing them to have more devastating effect on unsuspecting web sites," Perez said.
Server-side botnets used for denial-of-service attacks first came to light in 2012, when the Izz ad-Din al-Qassam Cyber Fighters targeted financial institutions with massive bandwidth and application-layer attacks in alleged retaliation for the posting of videos to YouTube that were offensive to some Muslims.
Rather than using botnets consisting of tens of thousands of consumer desktop systems, the attackers used hundreds to thousands of Web servers instead. While some attackers use vulnerabilities to compromise servers, others have significant success just by trying common passwords. The 2,000 servers that attacked Sucuri's client sent some 5,000 HTTP requests per second, enough to not just overwhelm the victim's Web server but the victim's hosting provider as well.
The hosting provider, which Perez declined to name, cut off the company for violating its terms of service, according to Perez. The campaign to create Linux-based DDoS botnets is more extensive, according to Prolexic.
The attackers behind the denial-of-service botnet use vulnerabilities in popular Linux software, such as Apache Tomcat, Struts and Elasticsearch, the company said. Once a server is compromised, the attackers upload malware, which creates a copy of itself named .IptabLes or .IptabLex. IPTables is a common firewall and routing package included in most versions of the Linux operating system. "The analysis conducted within the lab environment showed that the binary exhibits DDoS functionality," Prolexic stated in its alert. "Two functions found inside the binary indicate SYN and DNS flood attack payloads.
These DDoS attack payloads are initiated once an attacker sends the command to an infected victim machine." The botnet created by the campaign has been used to target financial institutions, and in one case, created a DDoS that peaked at 119 Gbps. "This bot seems to be in an early development stage and shows several signs of instability. More refined and stable versions could emerge in future attack campaigns." The attacks appear to come from Internet addresses in Asia, and two hard-coded addresses contained in the malware binary are in China, according to Prolexic.