Last year the world was affected by a mass-scale XOR.DDoS attack against Linux PCs at a rate of over 150 Gbps. The malware in question, Malware.XOR.DDoS, was detected in 2014 and has been the subject of many research analyses.
While the original attack targeted Linux, the newer version can also attack Windows PCs, turning them into ‘zombie’ PCs through the Command & Control (C&C) server.
The XOR.DDoS creates huge volumes of data and meaningless strings in the SYN flood attack, which CDNetworks says is a serious threat as most companies do not have the network processing capacity to deal with the data. In addition, the attack uses TCP, which the small network line can’t block.
The report found that 77.1% of the attacks have occurred in China and the United States, mainly in Linux servers that use cloud services and in large-scale cloud service providers, the report found. It suggests that SSH Services (22/TCP) are being used in most attacks, cloud systems without proper security management are most likely to have been hacked.
CDNetworks says the SYN and data flooding can theoretically be blocked if SYN packets with data are detected. The company recommends using a SYN cookie that is effective against spoofing attacks.
The cookie compares sequencing the SYN and if they are not identical, the packet is discarded. Alternatively, First SYN DROP can be another effective method of blocking attacks.
“This technique works by saving the first SYN packet information in the memory and dropping the packet. If the session request is normal, the same IP will send the SYN request again. If the request is made for attack, another SYN request from another IP will be received,” a statement from CDNetworks says.
The company recommends investing in a large-scale network line to counteract large TCP attacks, such as in the case of XOR.DDoS.