Among the headlines in the tech press last week was news of a massive Linux botnet that was apparently crippling various sites on the Internet with 150Gbps of traffic. After reading a number of reports that lacked important detail and even seemed to lay the blame on Linux, I feel the need to set a few things straight.
First, the fact that this botnet is built on compromised Linux systems is irrelevant. It says nothing at all about Linux or Linux system security -- because those systems were compromised through brute-force attacks on open SSH ports. Those attacks were successful due in large part to simple passwords and poor security used by vendors pumping out cheap broadband routers.
Second, anyone who has run a Unix-based system on a public network for any length of time knows that brute-force login attempts occur constantly -- and are easily thwarted. One such system I manage has drawn more than 27,000 unique brute-force attempts in the past few months. Another averages several hundred unique attempts a week. Of course, these attempts are heavily mitigated due to tools that detect and stop this kind of attack. Denyhosts and fail2ban monitor log files for persistent login attempts from unique IP addresses and block them at the network level so that they lose all access to whatever vector they were trying to compromise.
In the context of the XOR botnet, we’re talking about poorly designed embedded Linux systems that not only lack basic protections against brute-force login attacks, but don’t even enforce sensible password policies. This has more to do with unconscionably bad vendor practices than any other factor.
Frankly, if you must have a security problem, an issue with brute-force login attempts is the best one to have. It can be easily mitigated and controlled, and it comes through a well-known vector with copious logging. In short, it should generally count as an annoyance, not a problem. The real security problems come from unknown and unknowable vectors, such as a bug in an accessible service or app that doesn’t require a login or have any type of useful logging. Those are the kind you can’t see -- and can’t protect against unless and until you’ve already been compromised.
While many seem to think that operating systems play the largest role in computer security, the fact is most successful attacks come through third-party code such as Web applications. Just as SSH ports draw brute-force login attempts, publicly available Web servers see the same type of attacks on HTTP ports. These attacks look for common apps that might be running and, if found, will use known exploits to compromise the system in some fashion.
An extremely common vector here is WordPress, which has a spotty security history. An old WordPress installation running on any system is essentially an open door for attackers. The same server that withstood tens of thousands of unique brute-force SSH attempts in recent months also saw tens of thousands of attempts of this type across a similar timeframe. In fact, WordPress attacks are seen at a rate of several hundred a day. Other HTTP attacks are common, and it probably bears mention that a good number of these attacks come from systems running on AWS.
I suppose Linux no longer needs defending against hyperbolic assertions of gaps in functionality and security these days. But there was a time -- many years in the late 1990s through the late 2000s -- that Linux needed staunch defenders to combat the avalanche of misinformation generated through concerted efforts to minimize Linux growth. We don’t hear much about Linux vs. Windows anymore, nor about Linux deficiencies in function or security -- the track record is too long and prominent. Windows and Linux have somewhat settled into place with Linux running the Internet, and Windows running corporate desktops and basic corporate NOS tasks.
Thus, Akamai should be ashamed of this statement discussing the botnet:
A decade ago, Linux was seen as the more secure alternative to Windows environments, which suffered the lion’s share of attacks at the time, and companies increasingly adopted Linux as part of their security-hardening efforts. As the number of Linux environments has grown, the potential opportunity and rewards for criminals has also grown. Attackers will continue to evolve their tactics and tools and security professionals should continue to harden their Linux based systems accordingly.
This statement says almost nothing useful, but does so in a way that appears to paint Linux as the problem. A better way to say this: "Don't use simple default admin passwords on embedded systems and leave logins open." That's a universal truth, and it’s the crux of this issue.
Certainly the XOR botnet is a formidable threat, but it’s made possible through incompetence and ignorance, not fundamental problems with an operating system. It’s not a security problem, but a people problem, and those are nearly impossible to fix.