Akamai’s Prolexic Security Engineering and Response Team (PLXsert) has published a new threat advisory to warn enterprises of distributed denial-of-service (DDoS) attacks leveraging a toolkit dubbed “Spike.”
According to the Internet infrastructure company, the Spike DDoS Toolkit has been used in several attacks aimed at organizations in Asia and the United States. One of the attacks observed by PLXsert peaked at 215Gbps and 150 Mpps.
The malware, which appears to have been developed by a China-based group, uses compromised machines to launch SYN floods, UDP floods, DNS query floods, and GET floods against targeted organizations.
While there are several threats capable of performing such attacks, Spike stands out because it can infect not only Windows machines, but also desktop and ARM-based devices running Linux. This means that the list of targeted machines includes not only PCs and servers, but also routers and Internet of Things (IoT) devices such as thermostats, fridges, lighting solutions and washers.
“The Spike DDoS toolkit contains components of a typical client-based botnet: a command and control (C2) panel, binary payloads for infection and DDoS payload builders. The C2 and the builders are Windows binaries for use by the malicious actor, while the infectious payloads were designed to target mainly Linux or other embedded devices,” PLXsert said in its advisory. “The ability of the Spike toolkit to generate an ARM-based payload suggests that the authors of such tools are targeting devices such as routers and IoT devices to expand their botnets for a post-PC era of botnet propagation.”
Pieces of malware that appear to be variants of this toolkit were analyzed earlier this year by Russian security firm Doctor Web. The company initially found only Linux versions of the malware, but in August it reported that one of the threats had been ported to Windows.
The toolkit sample analyzed by PLXsert came with a total of three payload builders: two for 32 and 64-but Linux payloads, and one for 32-bit ARM executables.
“The introduction of a multi-platform DDoS toolkit such as the Spike DDoS toolkit indicates the direction that malicious actors are taking. The ARM payload for Linux could be used to target popular embedded devices, CPEs [customer premises equipment] and Internet of Things devices; at least the subset of those devices that can be exploited and on which remote code execution can be attained,” the advisory reads.
According to Akamai, the layer 3 DDoS attacks can be mitigated by implementing access control lists (ACLs). Organizations can defend themselves against the layer 7 GET flood with the aid of a SNORT rule described in the advisory.
This isn’t the first time Akamai has warned enterprises of DDoS attacks leveraging Linux malware. In an advisory published earlier this month, the company detailed operations relying on Linux malware dubbed IptabLes and IptabLex, with one attack peaking at 119 Gbps bandwidth and 110 Mpps.