This week, Internet content delivery service Akamai Technologies, Inc. published a cybersecurity advisory revealing a staggering new distributed denial of service (DDoS) attack botnet named XOR that is capable of attacks in excess of 150 gigabytes per second (Gbps). The botnet is made up of Linux machines infected with a Trojan designed to hijack systems running that OS.

The full threat advisory details and mitigation details are available for download at Akamai’s State of the Internet website.

“Over the past year, the XOR DDoS botnet has grown and is now capable of being used to launch huge DDoS attacks,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks. This happens much more frequently now than in the past, when Windows machines were the primary targets for DDoS malware.”

The breadth and reach of the XOR DDoS botnet

Researchers at Akamai’s Security Intelligence Response Team (SIRT) has shown that the XOR botnet has been involved in low bandwidth attacks around one Gbps and has been involved in attacks up to 150 Gbps, which is an extremely large attack size. The most common target of this botnet has been the gaming sector, followed by educational institutions.

According to researchers, the XOR botnet has been involved in 20 attacks per day, 90 percent of which of which occurred in Asia.

Of the attacks profiled in the threat advisory documented August 22-23 showed one that exceeded 179 Gbps and one that nearly reached 109 Gbps.

The two attack vectors observed being used by the botnet were SYN and DNS floods.

During a SYN flood an attacker sends SYN packets to every port on the targeted server. SYN packets are used when establishing a connection. Once received the server acknowledges and awaits a response, enough SYN packets and the server may be unable to answer further requests. The result is a service failure.

DNS floods are extremely similar but instead target domain name services (DNS) in an attempt to overwhelm network resources.

In 2014, Arbor Networks released a report showing the largest reported attack occurred during the second quarter weighing in at about 154 Gbps. while the average attack size kept quite lower at around 12 Gbps. This puts the XOR botnet in the very big leagues even for 2015. Akamai’s own State of the Internet report for Q2 2015 showed that there were only 12 DDoS attacks in excess of 100 Gbps (doubled from 2014 Q2) with a year-over-year decrease in peak volumes.

Danger to the video game industry increases

As cited by the Akamai SIRT researchers the video game industry is particularly vulnerable to DDoS attacks and represented the largest targeted market for the XOR botnet.

Already the ease and power of DDoS has been seen wielded by Internet mayhem groups such as Lizard Squad, who are credited with taking down Xbox Live and the PlayStation Network on Christmas Day in 2014. And more recently, Cryptic Studios Inc. properties Star Trek Online and Neverwinter Online were struck by a cybercriminal and taken offline by a DDoS attack.

Lizard Squad’s involvement also draws attention to the evolution of the DDoS-for-hire market, which was described by NexusGuard Ltd. as a command and control system to provide access to an attack botnet.

During an interview with SiliconANGLE Nelson Rodriguez, senior industry marketing manager, said that the video game industry is a unique target for DDoS attacks.

In particular, unlike other business applications video games often run at almost peak traffic in most circumstances due to the nature of gaming: once logged in and playing gaming clients are “always-on” and don’t poll for data periodically like other applications. This means that any extra traffic hitting the server can easily tip it over and bring the service crashing down.

Also due to the always-on capacity, games are highly susceptible to latency. When using a web app, a user might notice when a page takes just a half-second longer to load than usual, but when in a video game a sword-swing not hitting until a half-second later or a spray of bullets not landing until a half-second later is immersion breaking. As a result, smaller DDoS attack can have highly disruptive effects.

It would take a botnet such as XOR very little effort to cause massive disruption to many popular video game services from World of Warcraft, Destiny, and, as we’ve already seen Xbox Live and PlayStation Network.

Featured image credit: Photo via Pixabay