This attack campaign started with a DNS Flood of 30 million queries per second and escalated into a Tsunami SYN Flood ramping up to 140 Gbps with over 75 Mpps in total. All attack signatures match with the recently investigated Xor.DDoS Botnet.
Between Oct. 13 and 23rd, the attack was constantly switching on and off. The attack hit multiple destination hosts at the same time.
Below is an outline of the attack characteristics and defensive measures as observed by Akamai's Security Intelligence Research Team (SIRT).
In the course of this investigation, the SIRT worked with Akamai's FastDNS team. The FastDNS team noticed considerable attack traffic while Xor was not targeted at us. It's possible the adversary is employing a multi-vendor DDoS approach and that all the DNS traffic we see is attributable to Xor. That said, we are reasonably certain that Xor is behind all the SYN flood activity.
Akamai's SIRT expects Xor DDoS activity to continue as attackers refine and perfect their methods.
This will likely result in a more diverse selection of DDoS attack types included in future versions of the malware. Xor DDoS malware is part of a wider trend of which companies must be aware: Attackers are targeting poorly configured and unmaintained Linux systems for use in botnets and DDoS campaigns.
A decade ago, Linux was seen as the more secure alternative to Windows environments, which suffered the lion's share of attacks at the time, and companies increasingly adopted Linux as part of their security-hardening efforts.
As the number of Linux environments has grown, the potential opportunity and rewards for criminals has also grown.
Attackers will continue to evolve their tactics and tools therefore security professionals should continue to harden their Linux based systems accordingly.
The full case study can be accessed at http://www.stateoftheinternet.com/resources-web-security-threat-advisories-2015-fast-dns-xor-botnet.html.