akamai.com

Shellshock (Bash Bug) DDoS Botnet Highlights from a State of the

Internet Threat Advisory

= what is shellshock (bash bug)?

• Shellshock is a critical vulnerability in GNU Bash (Bourne

Again Shell)

⁄ Affects versions 1.03 - 4.3

• Also called Bash bug

• Malicious actors exploit the Bash bug vulnerability to

download and execute payloads on victim machines

• Most Linux-based systems, Mac OS X and Cygwin are

vulnerable

• Capable of launching DDoS attacks, stealing sensitive

information and breaching other systems

2 / [state of the internet] / threat advisory

= PLXsert observations about this threat

• Akamai’s infrastructure was

tested by a DDoS Internet

relay chat (IRC) botnet

• PLXsert recorded the IRC

conversation, providing

analysis of the Shellshock

Bash vulnerability and

botnet-building

• More than 22,000 unique

attacking IP addresses

identified from 10 different

countries

Global distribution of the botnet IP

addresses

3 / [state of the internet] / threat advisory

= DDoS capabilities

• Shellshock has several distributed denial of service

(DDoS) capabilities

• The Perl scripts placed on the compromised hosts exhibit

DDoS functions, specifically UDP and TCP payloads

• The UDP flood function consists of four flood payloads:

• IGMP

• UDP

• ICMP

• TCP (SYN)

4 / [state of the internet] / threat advisory

= a variety of industries have been targeted

• Online gaming

• Consumer electronics

• Online email marketing

• Travel

• Online advertising

• Online media streaming

• Government

• Software

5 / [state of the internet] / threat advisory

= how attackers use shellshock (bash bug)

• Bash (Bourne Again Shell) is the shell, or command

language interpreter, for the GNU operating system

• Web applications that use the Common Gateway Interface

(CGI) method to serve dynamic content are at risk for the

Bash bug

• Some of the earlier patches failed to address the flaw in its

entirety, leading to additional patches

• Fully patched, remote exploitation attempts of this type

will be unsuccessful

6 / [state of the internet] / threat advisory

= system hardening and vulnerability mitigation

• Check internal and external web servers for this type of

application and others that may potentially pass input to

Bash

• Update and patch vulnerable hosts as soon as possible

• Mobile phones, embedded devices and desktops, laptops

and servers may be targeted; patch these devices

• Upgrade to new version of Bash, replacing Bash with an

alternate shell, limit access or filter inputs to vulnerable

services

7 / [state of the internet] / threat advisory

= recommended DDoS mitigation

• Akamai Web Application Firewall (WAF) protections are

available to assist customers of Kona Web Application

Firewall and Kona Site Defender services

• The DDoS UDP and TCP flood can be mitigated with ACL

rules

• Akamai customers have options to minimize the risk of a

breach and to mitigate DDoS attacks enabled by this

vulnerability

8 / [state of the internet] / threat advisory

Threat Advisory: Shellshock (Bash Bug) DDoS

Botnet toolkit

• Download the threat advisory, Shellshock (Bash Bug)

DDoS Botnet

• This threat advisory includes:

⁄ Vulnerable Bash versions

⁄ Details of the attack on Akamai’s infrastructure

⁄ DDoS building capabilities of binary payloads

⁄ Types of DDoS attacks

⁄ IRC conversation from within the DDoS botnet

⁄ How to mitigate this vulnerability

⁄ Sources of UNIX and Linux vendor patch information

⁄ DDoS mitigation

= shellshock (bash bug) threat advisory

9 / [state of the internet] / threat advisory

= about stateoftheinternet.com

• StateoftheInternet.com, brought to you by Akamai, serves

as the home for content and information intended to

provide an informed view into online connectivity and

cybersecurity trends as well as related metrics, including

Internet connection speeds, broadband adoption, mobile

usage, outages, and cyber-attacks and threats.

• Visitors to www.stateoftheinternet.com can find current

and archived versions of Akamai’s State of the Internet

(Connectivity and Security) reports, the company’s data

visualizations, and other resources designed to put

context around the ever-changing Internet landscape.

10 / [state of the internet] / threat advisory