Linux Machines Powered Nearly Half of DDoS Attacks in Q3: Kaspersky

Linux-based botnets are being increasingly used by cybercriminals to launch distributed denial of service (DDoS) attacks, according to a new report released Wednesday by Kaspersky Lab.

According to the Moscow-based security firm’s DDoS Intelligence Report for Q3 2015, DDoS attacks from Linux-based botnets accounted for 45.6 percent of the total number of DDoS attacks. The most notable of the group is the XOR DDoS botnet, which was used to launch 150+ gigabit-per-second (Gbps) DDoS attacks, as discovered by security researchers from Akamai Technologies.

The largest number of C&C servers used to carry out attacks was located in South Korea during the third quarter, at 56.6 percent. The United States came in second with 12.4 percent, followed by China with 6.9 percent, and the UK with 4.8 percent.

The increase in Linux-based bots is mainly due to low protection of systems and higher bandwidth capacity, Kaspersky says.

The botnet used SYN and DNS floods to carry out attacks, and Kaspersky Lab data reveals that Linux systems infected with the XOR DDoS Trojan were used to actively target resources located in China. According to the security firm, 34.5 percent of all DDoS attacks in Q3 were aimed at targets in this country, with the USA on the second position, being targeted by 20.8 percent of attacks.

The report also shows that 17.7 percent of the DDoS attacks in the timeframe were targeting South Korea, and that 91.6 percent of all attacks were targeting resources in only 10 countries, although the targets were located in 79 countries around the world. Also noteworthy is the fact that the number of attacks targeting the top three countries has increased compared to the second quarter.

The security firm also reveals that 99.3 percent of the attacks came from bots belonging to one family, and that only few attempts were made using bots from two or three different families (0.7 and 0.2 percent, respectively). SYN DDoS remained the most popular attack method, being used in 51.7 percent of incidents, followed by TCP DDoS with 16.4 percent, and HTTP DDOS with 14.9 percent share.

As for duration, most attacks lasted less than 24 hours during the quarter, yet the security firm observed an increase in the number of attacks lasting longer than one week. The longest DDoS attack registered in the timeframe lasted 320 hours (13.3 days), a major increase in duration compared to the 205 hours (8.5 days) long attack registered in Q2, the security firm notes.

According to Kaspersky’s report, the software used to launch DDoS attacks is becoming more complicated, but the tools for launching attacks are more freely available and easier to use, meaning that even perpetrators lacking advanced technical skills can take advantage of them. This also results in a wider range of targets these attacks are hitting.

“For the owners of web resources, effective protection from DDoS attacks originating from server botnets is strongly recommended,” Kaspersky Lab advised.