Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Linux XOR DDoS Botnet Flexes Muscles With 150+ Gbps Attacks

XOR DDoS Botnet Pounds Organizations in Asia

Akamai Technologies shared new details on Tuesday of an existing botnet that is now capable of launching 150+ gigabit-per-second (Gbps) DDoS attacks from Linux systems infected by the XOR DDoS Trojan.

XOR DDoS Botnet Pounds Organizations in Asia

Akamai Technologies shared new details on Tuesday of an existing botnet that is now capable of launching 150+ gigabit-per-second (Gbps) DDoS attacks from Linux systems infected by the XOR DDoS Trojan.

The XOR DDoS malware was first discovered in September 2014 by the Malware Must Die research group, which linked it to a Chinese threat actor. XOR DDoS is different from most DDoS bots because it’s developed using C/C++ and uses a rootkit component for persistence, researchers said. Once installed on a system, XOR DDoS connects to its command and control (C&C) server, from which it gets a list of targets.

In addition to DDoS attacks, the bot is also capable of downloading and executing arbitrary binaries, and it can replace itself with a newer variant by using a self-update feature.

Akamai analysts witnessed that the bandwidth of DDoS attacks coming from the XOR DDoS botnet in recent campaigns ranged from low, single-digit Gbps to more than 150 Gbps, and hit up to 20 targets per day, 90% of which were in Asia.

“Over the past year, the XOR DDoS botnet has grown and is now capable of being used to launch huge DDoS attacks,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks. This happens much more frequently now than in the past, when Windows machines were the primary targets for DDoS malware.”

The top target has been the gaming sector, followed by educational institutions, Akamai said. Using SYN and DNS floods, two attacks seen by Akamai reached nearly 179 Gbps and 109 Gpbs.

Here’s more of what Akamai has to say about XOR DDoS:

The IP address of the bot is sometimes spoofed, but not always. The attacks observed in the DDoS campaigns against Akamai customers were a mix of spoofed and non-spoofed attack traffic. Spoofed IP addresses are generated such that they appear to come from the same /24 or /16 address space as the infected host. A spoofing technique where only the third or fourth octet of the IP address is altered is used to prevent Internet Service Providers (ISPs) from blocking the spoofed traffic on Unicast Reverse Path Forwarding (uRPF)-protected networks.

DDoS mitigation of XOR DDoS attacks

Identifiable static characteristics were observed, including initial TTL value, TCP window size, and TCP header options. Payload signatures such as these can aid in DDoS mitigation. These are available in the threat advisory. In addition, tcpdump filters are provided to match SYN flood attack traffic generated by this botnet.

According to Akamai, removing the XOR DDoS malware is a four-step process, which it describes in the advisory, along with several scripts and instructions for detection using a YARA rule. 

“Akamai’s SIRT expects XOR DDoS activity to continue as attackers refine and perfect their method,” Akamai concluded. “This will likely result in a more diverse selection of DDoS attack types included in future versions of the malware. XOR DDoS malware is part of a wider trend of which companies must be aware: Attackers are targeting poorly configured and unmaintained Linux systems for use in botnets and DDoS campaigns.”

Late last year, researchers at FireEye monitored a campaign in which malicious actors use Secure Shell (SSH) brute force attacks to install XOR DDoS on targeted systems. At the time, FireEye saw more than 20,000 SSH login attempts per server in the first 24 hours.  

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.