Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

“Spike” DDoS Toolkit Targets PCs, Servers, IoT Devices: Akamai

Akamai’s Prolexic Security Engineering and Response Team (PLXsert) has published a new threat advisory to warn enterprises of distributed denial-of-service (DDoS) attacks leveraging a toolkit dubbed “Spike.”

Akamai’s Prolexic Security Engineering and Response Team (PLXsert) has published a new threat advisory to warn enterprises of distributed denial-of-service (DDoS) attacks leveraging a toolkit dubbed “Spike.”

According to the Internet infrastructure company, the Spike DDoS Toolkit has been used in several attacks aimed at organizations in Asia and the United States. One of the attacks observed by PLXsert peaked at 215Gbps and 150 Mpps.

The malware, which appears to have been developed by a China-based group, uses compromised machines to launch SYN floods, UDP floods, DNS query floods, and GET floods against targeted organizations.

Spike DDoS ToolkitWhile there are several threats capable of performing such attacks, Spike stands out because it can infect not only Windows machines, but also desktop and ARM-based devices running Linux. This means that the list of targeted machines includes not only PCs and servers, but also routers and Internet of Things (IoT) devices such as thermostats, fridges, lighting solutions and washers.

“The Spike DDoS toolkit contains components of a typical client-based botnet: a command and control (C2) panel, binary payloads for infection and DDoS payload builders. The C2 and the builders are Windows binaries for use by the malicious actor, while the infectious payloads were designed to target mainly Linux or other embedded devices,” PLXsert said in its advisory. “The ability of the Spike toolkit to generate an ARM-based payload suggests that the authors of such tools are targeting devices such as routers and IoT devices to expand their botnets for a post-PC era of botnet propagation.”

Pieces of malware that appear to be variants of this toolkit were analyzed earlier this year by Russian security firm Doctor Web. The company initially found only Linux versions of the malware, but in August it reported that one of the threats had been ported to Windows.

The toolkit sample analyzed by PLXsert came with a total of three payload builders: two for 32 and 64-but Linux payloads, and one for 32-bit ARM executables.

“The introduction of a multi-platform DDoS toolkit such as the Spike DDoS toolkit indicates the direction that malicious actors are taking. The ARM payload for Linux could be used to target popular embedded devices, CPEs [customer premises equipment] and Internet of Things devices; at least the subset of those devices that can be exploited and on which remote code execution can be attained,” the advisory reads.

According to Akamai, the layer 3 DDoS attacks can be mitigated by implementing access control lists (ACLs). Organizations can defend themselves against the layer 7 GET flood with the aid of a SNORT rule described in the advisory.

This isn’t the first time Akamai has warned enterprises of DDoS attacks leveraging Linux malware. In an advisory published earlier this month, the company detailed operations relying on Linux malware dubbed IptabLes and IptabLex, with one attack peaking at 119 Gbps bandwidth and 110 Mpps.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).