[clug] DDos attacks using Linux hosts. (the-sky-is-falling now a "thing", according to the Aztec calendar)

Scott Ferguson scott.ferguson.clug at gmail.com
Thu Sep 8 11:25:35 UTC 2016

Thanks Chris, and Hal, I was tempted to respond when I initially read
Steve's post but...

On 08/09/16 17:14, Chris Smart wrote:
> On Wed, Sep 07, 2016 at 12:40:19PM +1000, steve jenkin wrote:
>> Just using Linux is no longer a protection against hackers.

And never, ever, has been. *1 (except in the world of security with 120
character limitations and face-painting fan bois). I'm not certain Steve
meant it to read that way - perhaps he's just experimenting with the
current school of copywriting.

Likewise Apple or [insert name of operating system here]

The fact remains that Linux, properly administered and deployed, can be
"secure enough". If the system is documented any root kit can be
detected with external audits (i.e. whilst it is not live). Note that
chkrootkit and rkhunter are not sufficient protection - though a
properly configured and monitored transparent proxy will detect all but
the most sophisticated side-channelling. And, relying on the integrity
of every internet connected device to protect against DDOS attacks just
encourages vegetables to find work as network/firewall administrators.

> Really, though? Isn't this more about vulnerable operating systems in
> general? I mean, if I can get root on a box I can make it do anything
> (even a Linux box). I don't think that this is a particularly new
> problem.

The proliferation of cheap computing devices has led to an increase in
the number of vulnerable devices - this has nothing to do with the
inherent weakness of the OS and everything to do with the way the OS has
been thrown together to meet a market demand for cheap devices,
exacerbated by lack of updates (driven by a market demand for constant
production of new devices). E.g. the recent discovery of a browser
trusted certificate embedded in the firmware of Aruba network devices (a
HP company).

Given that Linux rules the server, mobile platform and micro devices
it's no surprise that it should result in an increase in attractive
targets for bot-ware.

The increase in the number of desktops running Linux "managed" by
amateur sysadmins (who get their "knowledge" piecemeal from Google
university and are unable to tell the difference between a physicist and
a chauffeur) due to the popularity of distros that promise unattainable
combinations of simplicity and security - has also increased the number
of vulnerable user administered devices. This is not a problems specific
to any particular OS (it's a shoot-foot scenario that gun laws won't

Convenience is the arch-enemy of security.

In both unattended and attended computers the major factor is the
increase in the amount of resources dedicated to taking advantage of

> I do think that an up-to-date Linux box is still the best protection
> against computer crackers. The problem, as the article points out, is
> the growing number of vulnerable, never-updated Linux based IoT devices
> (and routers).

Agreed. Sadly such rational thinking does little to ameliorate the
growing trend of click-bait the-sky-is-falling stories - in this case
rooted in yet another product promotion by Trend Micro.

> While out-dated, un-patched, vulnerable IoT devices _seems_ bad, I'm
> hoping it will help us to defeat the inevitable rise of the machines
> (well that, and IPv6)!

:) What's wrong with IPv6? Anything is better than what my networking
instructor described as the drinking water from urine process called NAT.
Now if we could just do something to stop BYOD and Ffffacebook.... ;p

Kind regards

> -c

*1  Unix rootkits have been around since at least 1990 (Lane Davis and
Riley Drake). Windows rootkits have been around for a long time too (NT
Rootkit, Greg Hogland).
Log cleaners have been around since at least 1989.

#include <linux/module.h>
#include <linux/init.h>
#include <linux/kernel.h>

int rooty_init(void);
void rooty_exit(void);

int rooty_init(void) {
 printk("rooty: module loaded\n");
 return 0;

void rooty_exit(void) {
 printk("rooty: module removed\n");

Obj-m := rooty.o
KERNEL_DIR = /lib/modules/$(shell uname -r)/build
PWD = $(shell PWD)
 rm -rf *.o *.ko *.symvers *.mod.* *.order

More information about the linux mailing list