Published September 3, 2014

IptabLes and IptabLex DDoS Bots Threat Advisory

Malicious actors behind the IptabLes IptabLex botnet have produced significant DDoS attack campaigns, forcing target companies to seek expert DDoS protection. PLXsert anticipates further infestation and the expansion of this botnet.

What You’ll Learn

The IptabLes IptabLex DDoS Bot Threat Advisory includes mitigation details for enterprises, such as:

  • Indicators of infection
  • Analysis of the binary (ELF)
  • Payload initialization and persistence
  • Network code analysis
  • Case study of a DDoS attack campaign
  • How to harden Linux servers against exploits
  • Antivirus detection rates
  • Bash commands to clean an infected system
  • YARA rule to identify an ELF IptabLes payload
  • DDoS mitigation techniques

What You Need to Know

  • The IptabLes and IptabLex botnet is built from compromised Linux servers.
  • Attackers have exploited Linux servers that run unpatched versions of Apache Struts and Tomcat with vulnerabilities.
  • Misconfigured Elasticsearch instances have also been targeted.
  • Once the Linux system has been compromised, attackers escalate privileges and infect the system with IptabLes or IptabLex malware.
  • At the time of the advisory, the botnet has been used mainly to attack Entertainment verticals. The IptabLes IptabLex bots may be used to target other industries.
  • The IptabLes IptabLex DDoS bot observed at the time of the advisory shows signs of instability. More refined and stable versions could emerge in future DDoS attack campaigns.
  • To prevent further infestation and spread of the IptabLes IptabLex botnet, Linux administrators need to to identify and apply corrective measures.


  • Akamai’s Prolexic Security Engineering and Research Team (PLXsert) detected and measured distributed denial of service (DDoS) campaigns driven by the IptabLes IptabLex botnet.
  • The bots produce significant payloads by executing Domain Name System (DNS) and SYN flood attacks.
  • An observed campaign peaked at 119 Gbps bandwidth and 110 Mpps in volume.
  • Observed incidents suggest the binary connects back to two hardcoded IP addresses in China.
  • The binary (ELF) will only run on Linux systems. The binary and the exploits used to break in to the Linux systems are not co-dependent.

System Hardening

Mitigating this threat to Linux systems involves patching and hardening the Linux system, antivirus detection, and cleaning infected systems.

  • To mitigate against possible infection from this binary it is necessary to first harden the exposed web platform and services by applying patches and updates from the respective software vendors and developers. Links are provided in the advisory.
  • SANS Institute provides fundamental Linux server hardening procedures, which can be accessed from the advisory.
  • At the time of the advisory, VirusTotal reported only 23 out of 54 antivirus engines detecting this threat.
  • Two bash commands are provided to clean a system infected with the ELF IptabLes binary.

DDoS Mitigation

Rate limiting and a YARA rule are provided to stop DDoS attacks from IptabLes and IptabLex bots.

  • DDoS attackers will typically target a domain with these attacks.
  • A target web server will receive the SYN flood on port 80 or other port deemed critical for the server’s operation.
  • The DNS flood will typically flood a domain’s DNS server with requests.

Related IptabLes and IptabLex DDoS Bots Threat Advisory Assets

Contact Us