- Akamai’s Prolexic Security Engineering and Research Team (PLXsert) detected and measured distributed denial of service (DDoS) campaigns driven by the IptabLes IptabLex botnet.
- The bots produce significant payloads by executing Domain Name System (DNS) and SYN flood attacks.
- An observed campaign peaked at 119 Gbps bandwidth and 110 Mpps in volume.
- Observed incidents suggest the binary connects back to two hardcoded IP addresses in China.
- The binary (ELF) will only run on Linux systems. The binary and the exploits used to break in to the Linux systems are not co-dependent.
Mitigating this threat to Linux systems involves patching and hardening the Linux system, antivirus detection, and cleaning infected systems.
- To mitigate against possible infection from this binary it is necessary to first harden the exposed web platform and services by applying patches and updates from the respective software vendors and developers. Links are provided in the advisory.
- SANS Institute provides fundamental Linux server hardening procedures, which can be accessed from the advisory.
- At the time of the advisory, VirusTotal reported only 23 out of 54 antivirus engines detecting this threat.
- Two bash commands are provided to clean a system infected with the ELF IptabLes binary.
Rate limiting and a YARA rule are provided to stop DDoS attacks from IptabLes and IptabLex bots.
- DDoS attackers will typically target a domain with these attacks.
- A target web server will receive the SYN flood on port 80 or other port deemed critical for the server’s operation.
- The DNS flood will typically flood a domain’s DNS server with requests.