Mitigations for Spike DDoS toolkit-powered attacks

Akamai Technologies released, through the company’s Prolexic Security Engineering & Response Team (PLXsert), a new cybersecurity threat advisory that alerts enterprises to a high-risk threat of powerful distributed denial of service (DDoS) attacks from the Spike DDoS toolkit. With this toolkit, malicious actors are building bigger DDoS botnets by targeting a wider range Internet-capable devices.

The multi-vector toolkit can launch infrastructure-based and application-based DDoS payloads. Attacks include SYN flood, UDP flood, Domain Name System (DNS) query flood, and GET floods. Several campaigns have been reported against hosts in Asia and the United States. DDoS attack campaigns launched from the botnet have targeted Akamai customers. One DDoS attack campaign mitigated by the company peaked at 215 gigabits per second (Gbps) and 150 million packets per second (Mpps).

The Spike DDoS toolkit runs on a Windows system, but it can communicate and execute commands to Windows, Linux and ARM-based devices infected with its binary payloads. The ability to generate an ARM-based binary payload suggests that the authors of this malicious tool are seeking to control devices such as routers and Internet of Things (IoT) devices (i.e., smart thermostat systems and washer/dryers). The capability to infect and control a broader range of devices could allow DDoS attackers to propagate botnets in a post-PC era.

Most the infrastructure DDoS attacks launched by the Spike DDoS toolkit can be mitigated by implementing access control lists (ACLs) that filter out unwanted traffic. To mitigate against the toolkit’s application-layer GET flood attack, PLXsert has produced a SNORT signature, which is available in the threat advisory.

The multi-platform infection code in this kit increases the threat’s complexity and sophistication and makes it necessary to apply system hardening measures to each of the targeted operating systems and platforms. Links to industry recommended hardening techniques are provided to system administrators in the advisory. The advisory also provides a YARA rule to identify bot payloads used to infect devices and make them part of the botnet.

PLXsert anticipates further infestation and the expansion of this DDoS botnet.

The advisory (registration required) also includes the following information:

  • Indicators of binary infection
  • Command and control panel
  • Toolkit variations
  • Bot initialization
  • DDoS payloads
  • Details of an observed attack campaign
  • DDoS mitigation
  • System hardening resources.

Don't miss