Akamai Diversity

The Akamai Blog

Akamai Offers Further Guidance to Blunt Linux DDoS Threat

Yesterday's advisory about attackers exploiting Linux vulnerabilities for DDoS assaults got a lot of attention. After hearing the feedback, we decided a follow-up post was necessary to help admins mount a better defense.

I spoke with David Fernandez, head of our Prolexic Security Engineering Research Team (PLXsert), and he offered additional details on the countermeasures.

First, for the basic details of the threat, check out yesterday's post.

Now for the next steps...

Blocking this threat comes down to patching and hardening the server, keeping antivirus updated and establishing rate limits. Meantime, PLXsert has created a YARA rule and a bash command to detect and eliminate this threat from Linux servers.

It's necessary to first harden the exposed web platform and services by applying patches and updates from the respective software vendors and developers:

 There are also fundamental Linux server hardening procedures provided by SANS Institute (pdf). 

 The binary (ELF) will only run on Linux-based systems. However, attackers may be using other web exploits. The binary and the exploits used to break in are not co-dependent.

Antivirus detection

Several antivirus companies including McAfee have detections for this DDoS payload (McAfee identifies it as a generic Linux/DDosFlooder), however the detection rate among antivirus companies is relatively low overall for this threat. At the time of this advisory, VirusTotal reported only 23 out of 54 antivirus engines detecting this threat, which is an improvement from May 2014 when the detection rate was 2 out of 54 for this binary.

Rate limiting

Attackers will typically target a domain with these attacks, so a target web server will receive the SYN flood on port 80 or other port deemed critical for the server's operation. The DNS flood will typically flood a domain's DNS server with requests. Assuming the target infrastructure can support the high bandwidth observed by these attacks, rate limiting may be an option. 

 Akamai's Generic Route Encapsulation (GRE) solution allows routing of an entire subnet(/24 minimum) for mitigation. The attack will be absorbed by Akamai's solutions, allowing legitimate users to continue to use the site and its services.

YARA rule

YARA is an open source tool designed to identify and classify malware threats. It is typically used as a host-based detection mechanism and provides a strong PCRE engine to match identifying features of threats at a binary level or more. PLXsert utilizes YARA rules to classify threats that persist across many campaigns and over time. Here's a YARA rule provided by PLXsert to identify the ELF IptabLes payload identified in this advisory:

rule IptablesELF



              author = "PLXSert"

              description = "Rule to detect ELF IpTable DDoS executable"



              $elf = {7f 45 4c 46}

              $st0 = "SynFloodSendThread"

              $st1 = "DnsFloodSendThread"

              $st2 = "SynFloodBuildThread"

              $st3 = "DnsFloodBuildThread"

              $st4 = "MAINPTH"


              $code1 = "list.c"

              $code2 = "main.c"

              $code3 = "mypth.c"

              $code4 = "Service.c"

              $code5 = "srvnet.c"

              $code6 = "ckbuf"

              $code7 = "udptest.c"



              ($elf at 0 and all of ($st*) and 5 of ($code*) )


Bash commands

Two bash commands from PLXsert are designed to clean a system infected with the ELF IptabLes binary. After running these commands, system administrators are advised to reboot the system and run a thorough system inspection.

1. sudo find / -type f -name '.*ptabLe*'  -exec rm -f {} ';'

2. ps -axu | awk '/\.IptabLe/ {print $2}' | sudo xargs kill -9

We will be back with additional guidance as needed.