Understanding a XOR.DDoS attack

Understanding a XOR.DDoS attack
In September 2015, a mass-scale XOR.DDoS attack over 150 Gbps occurred utilizing Linux Malware. XOR.DDoS is the name of the malware, not the attack name, used to affect the Linux system. It was detected in September 2014 and the analysis of the malware was published by various security service companies and blogs. This blog and attached report will show the analysis of XOR.DDoS and how to counteract it.


The traditional attack utilized the existing vulnerabilities of Linux to make bad use of the system. However, XOR.DDoS makes Windows PCs into zombie PCs and starts attacks through the Command & Control (C&C) server.

The XOR.DDoS attack is used to defeat the network by generating mass volumes of data including meaningless strings in the SYN. This is a very serious threat to the network because the data volume exceeds the network processing capacity of most general companies. In addition, the UDP has been used to block mass traffic at the upper level. However, the XOR.DDoS attack uses the TCP, which the small network line cannot block

What is BruteForce attack?
A brute force attack tries many random passwords until it gets the correct password. There are various types of brute force attacks including the dictionary attack which determines the decryption key or password by trying combinations of words, the random attack which enters all keys, and the rainbow attack which uses a pre-defined hash table.


77.1 % of XOR.DDoS attacks have occurred in China and the U.S.A., mainly in the Linux servers that use Cloud services. Many large-scale cloud service providers were also the victims of XOR.DDoS attacks. In addition, as SSH services (22/TCP) are being used in most cases, it is assumed that cloud systems without proper management have been hacked.

Countermeasures against XOR.DDoS attacks
The XOR.DDoS attack is carried out as a form of SYN flooding + including data. SYN is just a process to perform a 3-way handshake and does not require the inclusion of data in the SYN packets. If SYN packets with data are detected, the XOR.DDoS attack can be defeated by blocking all of the SYN packets. In addition, it is good to use a SYN cookie against SYN flooding + SYN spoofing attacks, both of which have occurred in 2015, because a SYN cookie is effective and useful against spoofing.

The SYN cookie blocks SYN spoofing effectively by including the cookie value in the sequence number and comparing the cookie value with SEQ – 1 = cookie value at the end. The SYN cookie does not require a certain time to wait for the response; if the two values are not identical, the packet is just discarded. Therefore, the SYN cookie is a very effective way to block spoofing attacks. Alternatively, First SYN DROP can be a second countermeasure. This technique works by saving the first SYN packet information in the memory and dropping the packet. If the session request is normal, the same IP will send the SYN request again. If the request is made for attack, another SYN request from another IP will be received.

Read the full report with countermeasures here


A large-scale network line is necessary to counteract against massive-scale TCP attacks such as XOR.DDoS. The CDN industry can provide services to counteract against DDoS attacks. As the services are cloud-based, the available traffic processing capacity is very large and the cost is significantly lower than the cost taken to implement the services in each company. With these services, most companies will benefit substantially from the affordable cost and time without any accompanying issues.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.