Cleaning Up the Internet of Evil Things: Real-World Evidence on ISP and Consumer Efforts to Remove Mirai

Çetin, Orçun; Gañán, Carlos; Altena, Lisette; Kasama, Takahiro; Inoue, Daisuke; Tamiya, Kazuki; Ying, Taokai; Yoshioka, Katsunari; Eeten, Michel van

doi:10.14722/ndss.2019.23438

Cited by 37 publications

(59 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As a result, it is important to increase the difficulty to obtain botnets and to reduce the costs to deploy defense countermeasures. Unfortunately, with the massive usage of vulnerable IoT devices and the emergence of various powerful botnets (e.g., Mirai [3], [13]), this balance is shifted towards attackers quickly and the Internet is stricken by storms of larger and larger DDoS attacks more and more frequently [63], [76], [83]. Although we can scale up the scrubbing capacity by adding more servers or proprietary middleboxes, doing so raises the capital cost and operational complexity, which is not symmetric to the rapid growth of attack traffic nowadays.…”

Section: A Challenges In Ddos Defensementioning

confidence: 99%

Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches

Zhang

Wang

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

127

View full text Add to dashboard Cite

Distributed Denial-of-Service (DDoS) attacks have become a critical threat to the Internet. Due to the increasing number of vulnerable Internet of Things (IoT) devices, attackers can easily compromise a large set of nodes and launch highvolume DDoS attacks from the botnets. State-of-the-art DDoS defenses, however, have not caught up with the fast development of the attacks. Middlebox-based defenses can achieve high performance with specialized hardware; however, these defenses incur a high cost, and deploying new defenses typically requires a device upgrade. On the other hand, software-based defenses are highly flexible, but software-based packet processing leads to high performance overheads. In this paper, we propose POSEIDON, a system that addresses these limitations in today's DDoS defenses. It leverages emerging programmable switches, which can be reconfigured in the field without additional hardware upgrade. Users of POSEIDON can specify their defense strategies in a modular fashion in the form of a set of defense primitives; this can be further customized easily for each network and extended to include new defenses. POSEIDON then maps the defense primitives to run on programmable switches-and when necessary, on server software-for effective defense. When attacks change, POSEIDON can reconfigure the underlying defense primitives to respond to the new attack patterns. Evaluations using our prototype demonstrate that POSEIDON can effectively defend against highvolume attacks, easily support customization of defense strategies, and adapt to dynamic attacks with low overheads.

show abstract

Section: A Challenges In Ddos Defensementioning

confidence: 99%

Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches

Zhang

Wang

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

127

View full text Add to dashboard Cite

show abstract

“…Optionally, domains are also transferred to the "Registrar of Last Resort". Through sinkholing, law enforcement can then track how many and which infected hosts attempt to contact the domains [1] and aid in mitigation through notifications to network operators and infected users [22]. Domain seizures require a legal procedure such as a court order, while organizations could also request a takedown through a 'takedown notice' [42].…”

Section: B Taking Down the Avalanche Infrastructurementioning

confidence: 99%

“…By using the mean, we do not attach any statistical meaning to the absence of data and do not skew the distribution. (19)(20)(21)(22)(30)(31)(32)(33)(34)(35)(36) are set to zero and binary feature values (23)(24)(25)(26)(27)(28)(29) to false as no data means that DNS records for the domain were never queried, suggesting unpopularity. Table IX presents the performance metrics of the machine learning algorithms that we evaluate in Section V-B, for a base ensemble model trained and tested on the initial 2017 iteration.…”

Section: Appendix a Machine Learning Protocolmentioning

confidence: 99%

A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints

Pochat¹,

hamme²,

Maroofi³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

“…Moreover, by means of applying filters to network telescope data in order to discern Mirai-relevant traffic, Antonakakis et al [5] were able to gather IoT-related information pertaining to roughly 1.2 million Mirai-infected IP addresses during 7 months, in addition to examining their associated detection-avoidance techniques. Cetin et al [12] conducted empirical studies on IoT malware cleanup efforts and remediation rates in a medium-sized Internet Service Provider (ISP) leveraging darknet and honeypot sources.…”

Section: Related Workmentioning

confidence: 99%

Data-driven Curation, Learning and Analysis for Inferring Evolving IoT Botnets in the Wild

Pour

Mangino

Friday

et al. 2019

Proceedings of the 14th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

The insecurity of the Internet-of-Things (IoT) paradigm continues to wreak havoc in consumer and critical infrastructure realms. Several challenges impede addressing IoT security at large, including, the lack of IoT-centric data that can be collected, analyzed and correlated, due to the highly heterogeneous nature of such devices and their widespread deployments in Internet-wide environments. To this end, this paper explores macroscopic, passive empirical data to shed light on this evolving threat phenomena. This not only aims at classifying and inferring Internet-scale compromised IoT devices by solely observing such one-way network traffic, but also endeavors to uncover, track and report on orchestrated "in the wild" IoT botnets. Initially, to prepare the effective utilization of such data, a novel probabilistic model is designed and developed to cleanse such traffic from noise samples (i.e., misconfiguration traffic). Subsequently, several shallow and deep learning models are evaluated to ultimately design and develop a multi-window convolution neural network trained on active and passive measurements to accurately identify compromised IoT devices. Consequently, to infer orchestrated and unsolicited activities that have been generated by well-coordinated IoT botnets, hierarchical agglomerative clustering is deployed by scrutinizing a set of innovative and efficient network feature sets. By analyzing 3.6 TB of recent darknet traffic, the proposed approach uncovers a momentous 440,000 compromised IoT devices and generates evidence-based artifacts related to 350 IoT botnets. While some of these detected botnets refer to previously documented campaigns such as the Hide and Seek, Hajime and Fbot, other events illustrate evolving threats such as those with cryptojacking capabilities and those that are targeting industrial control system communication and control services. CCS CONCEPTS • Security and privacy → Embedded systems security; Network security; • Computing methodologies → Classification and regression trees; Neural networks.

show abstract

Cleaning Up the Internet of Evil Things: Real-World Evidence on ISP and Consumer Efforts to Remove Mirai

Cited by 37 publications

References 8 publications

Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches

Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches

A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints

Data-driven Curation, Learning and Analysis for Inferring Evolving IoT Botnets in the Wild

Contact Info

Product

Resources

About