lecture 4 iot botnet measurements
play

Lecture #4: IoT Botnet Measurements Cristian Hesselman, Elmer - PowerPoint PPT Presentation

Sep 30, 2023 •275 likes •608 views

Lecture #4: IoT Botnet Measurements Cristian Hesselman, Elmer Lastdrager, Ramin Yazdani, and Etienne Khan University of Twente | May 13, 2020 Lab assignment (update) Two groups of 4: analyze three devices Group 3 no longer exists Paper

  1. Lecture #4: IoT Botnet Measurements Cristian Hesselman, Elmer Lastdrager, Ramin Yazdani, and Etienne Khan University of Twente | May 13, 2020

  2. Lab assignment (update) • Two groups of 4: analyze three devices • Group 3 no longer exists

  3. Paper summaries • You must have handed in your two summaries BEFORE this lecture • You can use the summaries during the oral exam (“open book”) • You cannot complete SSI without submitting 12 paper summaries!

  4. Interactive Lecture • Goal: enable you to learn from each other and further increase your understanding of the papers (contributes to preparing yourself for the oral exam) • Format: 1. We’ll ask someone to provide their verbal summary of the paper 2. 5-slide(-ish) summary by teachers (put any questions in the chat) 3. Questions: discussion starters and fact questions 4. Discussion (use your mic) 5. We may ask someone specific to start the discussion • Experimental format resulting from Corona pandemic, please provide feedback!

  5. Today’s papers • [Mirai] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis, D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman, N. Sullivan, K. Thomas, and Y. Zhou, “Understanding the Mirai Botnet”, in: 26th USENIX Security Symposium, 2017 • [Hajime] S. Herwig, K. Harvey, G. Hughey, R. Roberts, and D. Levin, “Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet”, Network and Distributed Systems Security (NDSS) Symposium 2019, San Diego, CA, USA, February 2019

  6. “Understanding the Mirai Botnet”, s26th USENIX Security Symposium, 2017

  7. Mirai post-mortem • Impressive cooperation between = different vantage points: • Akamai Technologies, Cloudflare, Google, Merit Network • Georgia Institute of Technology, University of Illinois Urbana-Champaign, University of Michigan • x

  8. Quiz Botnets can be used for other purposes than launching DDoS attacks. For what other activity was the Mirai botnet used? A Bitcoin mining B Sending spam C Sharing videos D Click fraud

  9. Mirai inner working • Rapid stateless scanning: 23 and 2323 TCP SYN (seq num) • On connection: start brute force login (10 attempts) • Report successful login to hard- coded report server • (Async) infect with loader program. • Close ports and perform AV cleanup • C2 await commands

  10. Mirai from a network perspective • Active scanning: (Censys) • IoT Honeypot: 1028 unique samples and 67 C2 domains • Passive and Active DNS to find more C2 servers • C2 milker: 15.000 attacks

  11. Quiz How many hosts show Mirai-like SYN-scans in 2019? A 1k B 5k C 20k D 50k

  12. Mirai DDoS attacks • Volumetric, TCP State Exhaustion, Application-level attacks. • Most targets in USA (50%), France, UK. • Games • Mirai C2 servers • High-profile targets: Krebs on Security, Lonestar Cell (Liberia), Dyn.

  13. Mitigation of DDoS attacks DDoS scrubbing service DNS (Dyn): anycast

  14. Lessons learned Simple attack, lots of damage Automatic updates Device identification on network IoT end-of-life devices (externality) Connecting datasets gives a lot of information!

  15. Question What was the biggest ‘contribution’ of Mirai in your opinion? A Using IoT devices B Stateless scanning C Release code as Open Source D Taking down Dyn

  16. Volg ons SIDN.nl Discussion @SIDN SIDN

  17. “Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet”, Network and Distributed Systems Security (NDSS) Symposium, February 2019* * Figures and tables are from this paper, unless stated otherwise

  18. Time-sequence diagram from: G. Vormayr, T. Zseby, and J. Fabini, “Botnet Communication Patterns”, IEEE Hajime is based on active propagation Communications Surveys & Tutorials, September 2017 (A) Master issues updates of .i and .atk modules using config files (Section III.C) configure scan and exploit parameters (B) Bot’s .atk scans IPv4 address space (Section III.A) (C) Bot’s .atk tries access methods (Table I) (D) Victim downloads CPU-specific .i and .atk through uTP (Section III.B) (E) Victim’s .i registers with DHT (Section III.C)

  19. Quiz: Mirai vs. Hajime What’s one of the key differences between Mirai and Hajime? A. Mirai uses a central C&C botnet, Hajime a distributed C&C B. Hajime was an order of magnitude larger in terms of infected IoT devices than Mirai C. Mirai was much easier to analyze than Hajime D. Hajime evolved to exploit additional vulnerabilities, whereas Mirai did not

  20. Time-sequence diagram and table from: G. Vormayr, T. Zseby, and J. Fabini, “Botnet Communication Patterns”, IEEE Passive propagation (not in the paper) Communications Surveys & Tutorials, September 2017c

  21. Infections over time May 8, 2018 GPON exploit March 24, 2018 Chimay-Red exploit To 96K “?images” append From 43K to 71K/93K

  22. Quiz: botnet size The researchers count DHT keys to estimate the number of infected IoT devices. Why do they consider that method more accurate over time than counting IP addresses? A. The DHT that Hajime uses is based on keys B. IP addresses may change during the lifetime of a key C. The IPv6 address space is too large to scan D. None of the above

  23. Quiz: propagation rate The paper shows that the number of Hajime infections can spike significantly within the order of: A. Weeks B. Days C. Hours D. Seconds

  24. Propagation rate May 8, 2018 GPON exploit 96K in 31 hours March 24, 2018 Chimay-Red exploit 43K to 71K in an hour 43K to 93K in 24 hours

  25. TR-064 exploit Broadband provisioning CPE WAN Management Protocol (CWMP) https://en.wikipedia.org/wiki/TR-069 https://root-servers.org/ D-root operator: University of Maryland

  26. Quiz: TR-064 Why did the TR-064 vulnerability result in DNS queries on D-root? A. The .i module uses the DNS to locate other bots and get their config files B. The .itk module uses the DNS to locate the loader service to get the Hajime binaries C. The ISP operator attempts to configure an NTP server for the victim CPE device D. A non-vulnerable CPE device interprets the TR-064 command as a domain name

  27. TR-064 and the DNS DNS Root Operator Access Network (3) (2) Resolvers (4) TLD DNS Operator (5) (6) (1) (8) Non-TR-064 vulnerable CPE device Child DNS (7) operator

  28. Quiz: attack vector What was the Tbps range of the DDoS attacks that Hajime-infected IoT devices launched? A. > 1.5 Tbps B. 1 through 1.5 Tbps C. 0.5 through 1 Tbps D. 0 through 0.5 Tbps

  29. Hajime key takeaways • IoT botnets can grow in size quickly • IoT botnets can target a variety of CPU architectures, making honeypotting more difficult • IoT botnets can use P2P communications channels, making them more difficult to take down • IoT botnets require various datasets to analyze and the work requires multiple technical experts • … • Another others?

  30. Discussion: botnet lifetimes (discussion) • Why would the cleanup of IoT botnet take longer than for traditional bots?

  31. Discussion: botnet lifetimes (discussion) • Why would the cleanup of IoT botnet take longer than for traditional bots? • IoT bots stay undetected longer because devices operate more autonomously • IoT bots are more heterogenous, so more difficult to fix • IoT bots may interact with physical space, so s/w development takes more time • IoT bots are more heterogenous, so more difficult to honeypot • …

  32. Volg ons SIDN.nl Discussion & feedback @SIDN SIDN Next lecture: Wed May 20, 10:45-12:30 Topic: IoT honeypots

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet . Coordination of f bots with C&C server Bots query the

1k views • 58 slides
Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Botnet Analysis & Defense Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts (bots) coordinated via a command and control center (C&C). The perpetrator is usually called a botmaster.

409 views • 11 slides
Lecture 9 Introduction to Measurements Process Control Prof. Kannan M. Moudgalya IIT Bombay

Lecture 9 Introduction to Measurements Process Control Prof. Kannan M. Moudgalya IIT Bombay

Lecture 9 Introduction to Measurements Process Control Prof. Kannan M. Moudgalya IIT Bombay Wednesday, 7 August 2013 1/26 Process Control Introduction to Measurements Outline 1. Thermal measurements 2. Other measurements 3. About

426 views • 29 slides
A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T exas at San Antonio Overview Botnet Lifecycle Botnet Architecture Command and Control Mechanisms (C&C) Dynamic Graph Model Botnet

195 views • 18 slides
Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Introduction Advantages Skype Supernodes Botnet Our Model Features Communication protocol Experiments Limitations Countermeasures Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa - Universit`

483 views • 16 slides
An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi Italian Chapter - The Honeynet Project marco cremonini

393 views • 36 slides
Legal issues in measurements Markus Peuhkuri 2006-04-20 Lecture topics Legal issues governing

Legal issues in measurements Markus Peuhkuri 2006-04-20 Lecture topics Legal issues governing

Legal issues in measurements Markus Peuhkuri 2006-04-20 Lecture topics Legal issues governing measurements operator networks end user organisations Focus on Finland After this lecture

529 views • 7 slides
Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot a software application that runs automated tasks over the Internet Botnet a collection of Internet-connected programs communicating with other

659 views • 39 slides
Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen University of Pennsylvania August 8th, 2011 CSET-2011 1 Alice has developed a new botnet detector!!! What should the evaluation show? Alice's

767 views • 42 slides
Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Motivation/Overview Taxonomy Detection Response Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu Georgia Institute of Technology College of Computing OARC Workshop, 2005 David Dagon Botnet

675 views • 45 slides
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee College of Computing Georgia Institute of Technology 2008-2-25 Guofei Gu NDSS08 BotSniffer: Detecting Botnet C&C

379 views • 27 slides
Lecture 3/Chapter 3 Measurements, Mistakes, Misunderstandings Definitions: validity,

Lecture 3/Chapter 3 Measurements, Mistakes, Misunderstandings Definitions: validity,

Lecture 3/Chapter 3 Measurements, Mistakes, Misunderstandings Definitions: validity, reliability, bias, variability Pitfalls in survey questions Definitions (variables) Categorical variable : one whose values are qualitative (like

505 views • 24 slides
Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von Mobilfunk-Botnetzen im Hinblick auf DoS-Angriffe)

311 views • 20 slides
GENI as an Infrastructure to Study Malicious Overlay Networks Wenke Lee Georgia Ins=tute of

GENI as an Infrastructure to Study Malicious Overlay Networks Wenke Lee Georgia Ins=tute of

GENI as an Infrastructure to Study Malicious Overlay Networks Wenke Lee Georgia Ins=tute of Technology Goals Use GENI as a largescale distributed testbed for security research The best we can get if we cant experiment on the

354 views • 4 slides
Gerrit Concepts and Workflows (for Googlers: go/gerrit-explained) Edwin Kempin Google Munich

Gerrit Concepts and Workflows (for Googlers: go/gerrit-explained) Edwin Kempin Google Munich

Gerrit Code Review Gerrit Concepts and Workflows (for Googlers: go/gerrit-explained) Edwin Kempin Google Munich ekempin@google.com This presentation is based on a Git/Gerrit workshop that was developed by SAP. Credits go to

1.69k views • 96 slides
Geo-spatial Event Detection in the Twitter Stream Maximilian Walther and Michael Kaisser AGT

Geo-spatial Event Detection in the Twitter Stream Maximilian Walther and Michael Kaisser AGT

Geo-spatial Event Detection in the Twitter Stream Maximilian Walther and Michael Kaisser AGT International, J agerstrae 41, 10117 Berlin, Germany { mwalther,mkaisser } @agtinternational.com Abstract. The rise of Social Media services in the

552 views • 12 slides
Levels of Testing Chapter 12 Beyond unit testing Life cycle models What is a

Levels of Testing Chapter 12 Beyond unit testing Life cycle models What is a

Levels of Testing Chapter 12 Beyond unit testing Life cycle models What is a life cycle model of software development? What is the traditional life cycle model? LOT2 V-Model development & testing

565 views • 35 slides
TDDD04: Integration and System level testing Lena Buffoni lena.buffoni@liu.se Lecture plan

TDDD04: Integration and System level testing Lena Buffoni lena.buffoni@liu.se Lecture plan

TDDD04: Integration and System level testing Lena Buffoni lena.buffoni@liu.se Lecture plan Integration testing System testing Test automation Model-based testing 4 Remember? Testing in the waterfall model Requirement System

1.2k views • 81 slides
Policy Development Process & Policy Update Newcomers Session - 11 Sep 2020 ORGANISED

Policy Development Process & Policy Update Newcomers Session - 11 Sep 2020 ORGANISED

Policy Development Process & Policy Update Newcomers Session - 11 Sep 2020 ORGANISED BY Policy Development Process & Policy Update Madhvi Gokool 11 SEPTEMBER 2020 Why should you care? Public IP Number Resources are The

566 views • 23 slides
Bottom-up parsing LR parsing Construct parse tree for input from leaves up LR( k ) parsing

Bottom-up parsing LR parsing Construct parse tree for input from leaves up LR( k ) parsing

Bottom-up parsing LR parsing Construct parse tree for input from leaves up LR( k ) parsing reducing a string of tokens to single start symbol L eft-to-right scan of input, R ightmost derivation (inverse of deriving a string of tokens from

413 views • 5 slides
Bottom-Up Syntax Analysis Reinhard Wilhelm, Sebastian Hack, Mooly Sagiv Saarland University, Tel

Bottom-Up Syntax Analysis Reinhard Wilhelm, Sebastian Hack, Mooly Sagiv Saarland University, Tel

Bottom-Up Syntax Analysis Reinhard Wilhelm, Sebastian Hack, Mooly Sagiv Saarland University, Tel Aviv University W2015 Saarland University, Computer Science 1 Subjects Functionality and Method Example Parsers Derivation of a Parser

731 views • 43 slides

More recommend