Story image

CDNetworks explains the brute force of XOR.DDoS attacks

11 Aug 16

Last year the world was affected by a mass-scale XOR.DDoS attack against Linux PCs at a rate of over 150 Gbps. The malware in question, Malware.XOR.DDoS, was detected in 2014 and has been the subject of many research analyses.

While the original attack targeted Linux, the newer version can also attack Windows PCs, turning them into 'zombie' PCs through the Command & Control (C&C) server.

The XOR.DDoS creates huge volumes of data and meaningless strings in the SYN flood attack, which CDNetworks says is a serious threat as most companies do not have the network processing capacity to deal with the data. In addition, the attack uses TCP, which the small network line can't block.

The report found that 77.1% of the attacks have occurred in China and the United States, mainly in Linux servers that use cloud services and in large-scale cloud service providers, the report found. It suggests that SSH Services (22/TCP) are being used in most attacks, cloud systems without proper security management are most likely to have been hacked.

CDNetworks says the SYN and data flooding can theoretically be blocked if SYN packets with data are detected. The company recommends using a SYN cookie that is effective against spoofing attacks.

The cookie compares sequencing the SYN and if they are not identical, the packet is discarded. Alternatively, First SYN DROP can be another effective method of blocking attacks.

"This technique works by saving the first SYN packet information in the memory and dropping the packet. If the session request is normal, the same IP will send the SYN request again. If the request is made for attack, another SYN request from another IP will be received," a statement from CDNetworks says.

The company recommends investing in a large-scale network line to counteract large TCP attacks, such as in the case of XOR.DDoS.

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.