Home & Office

Incompetence, not Linux, is behind the XOR DDoS botnet

Linux is inherently more secure than Windows but a badly managed Linux server will still be more insecure than a well-administered Windows system.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

I get really, really tired of stories that make it sound like Linux has become more insecure.

No, it hasn't.

Here are some simple security truths.

First, no operating system or program is secure. Some are more secure than others. So sure, Linux is inherently more secure than Windows. But a badly managed Linux server will still be more insecure than a well-administered Windows system.

That's because of the second fundamental security truth. Security guru Bruce Schneier summed it up well 15-years ago, is "Security is a process, not a product."

Here's how all this comes together in the latest "Linux" security problem: The XOR DDoS botnet.

This is a botnet that indeed runs on Linux systems. It's a nasty one. According to Akamai, the content delivery network and Internet security company, XOR Distributed Denial of Service attacks have hit over 150 Gigabits per second (Gbps) rates.

This malware has been around for over a year. The oldest report I know of it dates back to August 2014. It's only recently gotten a lot of attention.

So. how does XOR DDoS infect Linux systems? Let's start with how it doesn't do it. XOR DDoS does not use any unpatched Linux vulnerability. That's because, well, there aren't any.

Oh, Linux gets holes like any other operating system. For example, GHOST, a security hole in the Linux GNU C Library (glibc), was ugly. Such security holes don't tend to last for long in Linux servers because anyone with a room-tempature IQ patches their servers. Security holes aren't hidden from the public the way they are on some operating systems. They're found, revealed, and patched in double-quick time.

This method is called "open source." It works. It often makes great, and, generally speaking, more secure software.

Say, however, that you have morons in charge of Linux systems. Say, for example, they don't patch their system. Or, is in the case of XOR DDoS, they enable secure shell (ssh) for remote administration over the Internet and they don't secure them.

Well, guess what? That's exactly what some idiots do.

When it's not trying to knock servers off the Internet, XOR DDoS scans the net for Linux servers with minimally protected ssh servers. Once they've found them, they try to brute-force guess the passwords. Of course, anyone with a clue would block repeated failed ssh logging attempts, but we've already established this sysadmin is a moron. Once in, the program installs the XOR DDoS malware on the computer. It then uses rootkit-like techniques to hide.

So, how can you prevent XOR DDoS getting its nose in the tent?

It's pretty simple. You use good passwords or, better still, a password and an encryption key. You should also allow access to ssh only from specific Internet Protocol (IP) addresses and users; and block login attempts after multiple failed attempts.

I know, really hard stuff, isn't it?

You can also disable root access to any user who uses ssh. Yes, most of you only use ssh when you need to work as root, but you don't need to leave the door open. If you need to perform a root operation, just use sudo. This also has the advantage of forcing the attacker to deal with another level of password protection.

Another good idea is to simply change ssh's default port from 22 to some port above 1024. People who do this as a matter of course often use port 2222. I recommend you don' use it because everyone knows that port 2222 is the ssh alternative port, including hackers. Instead use another port.

This method can come with its own set of problems. For example, you'll need to set your firewalls and ssh-enabled apps to work with the new port number. Off the cuff, though, I think this would stop 99 percent of all attempted ssh break-ins before they even get started.

So, before you blame Linux for your security troubles, look at your administrators. As is so often the case you'll find that your real security problem isn't XOR DDoS it's PEBCAK (Problem Exists Between Chair And Keyboard).

Related Stories:

Editorial standards