Shellshock (Bash Bug) DDoS Botnet Highlights from a State of the Internet Threat Advisory
akamai.com
= what is shellshock (bash bug)? • Shellshock is a critical vulnerability in GNU Bash (Bourne
Again Shell) ⁄
Affects versions 1.03 - 4.3
• Also called Bash bug
• Malicious actors exploit the Bash bug vulnerability to download and execute payloads on victim machines • Most Linux-based systems, Mac OS X and Cygwin are
vulnerable • Capable of launching DDoS attacks, stealing sensitive information and breaching other systems 2 / [state of the internet] / threat advisory
= PLXsert observations about this threat • Akamai’s infrastructure was
tested by a DDoS Internet relay chat (IRC) botnet • PLXsert recorded the IRC conversation, providing analysis of the Shellshock Bash vulnerability and botnet-building • More than 22,000 unique attacking IP addresses identified from 10 different countries
3 / [state of the internet] / threat advisory
Global distribution of the botnet IP addresses
= DDoS capabilities • Shellshock has several distributed denial of service (DDoS) capabilities • The Perl scripts placed on the compromised hosts exhibit DDoS functions, specifically UDP and TCP payloads • The UDP flood function consists of four flood payloads: •
IGMP
•
UDP
•
ICMP
•
TCP (SYN)
4 / [state of the internet] / threat advisory
= a variety of industries have been targeted • Online gaming • Consumer electronics • Online email marketing • Travel • Online advertising • Online media streaming
• Government • Software
5 / [state of the internet] / threat advisory
= how attackers use shellshock (bash bug) • Bash (Bourne Again Shell) is the shell, or command language interpreter, for the GNU operating system • Web applications that use the Common Gateway Interface (CGI) method to serve dynamic content are at risk for the Bash bug • Some of the earlier patches failed to address the flaw in its entirety, leading to additional patches • Fully patched, remote exploitation attempts of this type will be unsuccessful
6 / [state of the internet] / threat advisory
= system hardening and vulnerability mitigation • Check internal and external web servers for this type of application and others that may potentially pass input to Bash • Update and patch vulnerable hosts as soon as possible
• Mobile phones, embedded devices and desktops, laptops and servers may be targeted; patch these devices • Upgrade to new version of Bash, replacing Bash with an
alternate shell, limit access or filter inputs to vulnerable services
7 / [state of the internet] / threat advisory
= recommended DDoS mitigation • Akamai Web Application Firewall (WAF) protections are available to assist customers of Kona Web Application Firewall and Kona Site Defender services • The DDoS UDP and TCP flood can be mitigated with ACL rules • Akamai customers have options to minimize the risk of a breach and to mitigate DDoS attacks enabled by this vulnerability
8 / [state of the internet] / threat advisory
= shellshock (bash bug) threat advisory Threat Advisory: Shellshock (Bash Bug) DDoS Botnet toolkit
• Download the threat advisory, Shellshock (Bash Bug) DDoS Botnet • This threat advisory includes: ⁄ ⁄ ⁄ ⁄ ⁄ ⁄ ⁄ ⁄
Vulnerable Bash versions Details of the attack on Akamai’s infrastructure DDoS building capabilities of binary payloads Types of DDoS attacks IRC conversation from within the DDoS botnet How to mitigate this vulnerability Sources of UNIX and Linux vendor patch information DDoS mitigation
9 / [state of the internet] / threat advisory
= about stateoftheinternet.com • StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats. • Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to put
context around the ever-changing Internet landscape. 10 / [state of the internet] / threat advisory