User menu

Accès à distance ? S'identifier sur le proxy UCLouvain

Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements

Primary tabs

Metongnon, Lionel [UCL] Sadre, Ramin [UCL]

With the arrival of the Internet of Things (IoT), more devices appear online with default credentials or lacking proper security protocols. Consequently, we have seen a rise of powerful DDoS attacks originating from IoT devices in the last years. In most cases the devices were infected by bot malware through the telnet protocol. This has lead to several honeypot studies on telnet-based attacks. However, IoT installations also involve other protocols, for example for Machine-to-Machine communication. Those protocols often provide by default only little security. In this paper, we present a measurement study on attacks against or based on those protocols. To this end, we use data obtained from a /15 network telescope and three honey-pots with 15 IPv4 addresses. We find that telnet-based malware is still widely used and that infected devices are employed not only for DDoS attacks but also for crypto-currency mining. We also see, although at a much lesser frequency, that attackers are looking for IoT-specific services using MQTT, CoAP, UPnP, and HNAP, and that they target vulnerabilities of routers and cameras with HTTP.

Document type Communication à un colloque (Conference Paper) – Présentation orale avec comité de sélection
Publication date 2018
Language Anglais
Conference "ACM SIGCOMM 2018 Workshop on Traffic Measurements for Cybersecurity (WTMC 2018)", Budapest, Hungary (du 20/08/2018 au 20/08/2018)
Peer reviewed yes
Host document Lionel Metongnon, Ramin Sadre ; "ACM SIGCOMM 2018 Workshop on Traffic Measurements for Cybersecurity (WTMC 2018)"- 21-26 (ISBN : 978-1-4503-5910-8)
Publication status Accepté/Sous presse
Affiliation UCL - SST/ICTM/INGI - Pôle en ingénierie informatique
Links
  1. Tianlong Yu, Vyas Sekar, Srinivasan Seshan, Yuvraj Agarwal, and Chenren Xu. 2015. Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things. In HotNets 2015.
  2. Cisco Systems. 2009. Home network administration protocol (HNAP) whitepaper. https://www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf. (2009). Accessed: 2018-03-30.
  3. Zach Shelby, Klaus Hartke, and Carsten Bormann. 2014. RFC 7252 - The constrained application protocol (CoAP). (2014).
  4. Farooq Shaikh, Elias Bou-Harb, Nataliia Neshenko, Andrea Patrice Wright, and Nasir Ghani. 2018. Internet of Malicious Things: Correlating Active and Passive Measurements For Inferring and Characterizing Internet-scale Unsolicited IoT Devices. IEEE Communications Magazine (March 2018).
  5. Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, and Christian Rossow. 2015. IoTPOT: analysing the rise of IoT compromises. EMU 9 (2015).
  6. Moore David, Shannon Colleen, Brown Douglas J., Voelker Geoffrey M., Savage Stefan, Inferring Internet denial-of-service activity, 10.1145/1132026.1132027
  7. Brian Krebs. 2016. Source Code for IoT Botnet Mirai Released. https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/. (2016). Accessed: 2018-02-11.
  8. Krämer Lukas, Krupp Johannes, Makita Daisuke, Nishizoe Tomomi, Koide Takashi, Yoshioka Katsunari, Rossow Christian, AmpPot: Monitoring and Defending Against Amplification DDoS Attacks, Research in Attacks, Intrusions, and Defenses (2015) ISBN:9783319263618 p.615-636, 10.1007/978-3-319-26362-5_28
  9. Kolias Constantinos, Kambourakis Georgios, Stavrou Angelos, Voas Jeffrey, DDoS in the IoT: Mirai and Other Botnets, 10.1109/mc.2017.201
  10. Simon Kenin. 2017. BrickerBot mod_plaintext Analysis. https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/. (2017). Accessed: 2018-03-30.
  11. Michael Jeronimo and Jack Weast. 2003. UPnP design by example. (2003).
  12. O. Gayer, O. Wilder, and I. Zeifman. [n. d.]. CCTV DDoS botnet in our own back yard. https://www.incapsula.com/blog/cctv-ddos-botnet-back-yard.html. ([n. d.]). Accessed: 2018-02-11.
  13. J. Frahim, C. Pignataro, J. Apcar, and M. Morrow. [n. d.]. Securing the Internet of Things: A Proposed Framework. https://www.cisco.com/c/en/us/about/security-center/secure-iot-proposed-framework.html. ([n. d.]). Accessed: 2017-03-31.
  14. Sam Edwards and Ioannis Profetis. 2016. Hajime: Analysis of a decentralized internet worm for IoT devices. Rapidity Networks 16 (2016).
  15. Alexandre Dulaunoy, Gérard Wagener, Sami Mokaddem, and Cynthia Wagner. 2017. An extended analysis of an IoT malware from a blackhole network. In TNC17.
  16. L. Constantin. 2016. Thousands of hacked CCTV devices used in DDoS attacks. http://www.pcworld.com/article/3089346/security/thousands-of-hacked-cctv-devices-used-in-ddos-attacks.html. (2016). Accessed: 2018-02-11.
  17. D. Cid. 2016. Large CCTV Botnet Leveraged in DDoS Attacks. https://blog.sucuri.net/2016/06/large-cctv-botnet-leveraged-ddos-attacks.html. (2016). Accessed: 2018-02-11.
  18. Bertino Elisa, Islam Nayeem, Botnets and Internet of Things Security, 10.1109/mc.2017.62
  19. Andrew Banks and Rahul Gupta. 2014. MQTT Version 3.1. 1. OASIS standard 29 (2014).
Bibliographic reference Metongnon, Lionel ; Sadre, Ramin. Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements.ACM SIGCOMM 2018 Workshop on Traffic Measurements for Cybersecurity (WTMC 2018) (Budapest, Hungary, du 20/08/2018 au 20/08/2018). In: Lionel Metongnon, Ramin Sadre, ACM SIGCOMM 2018 Workshop on Traffic Measurements for Cybersecurity (WTMC 2018), 2018, p.21-26
Permanent URL http://hdl.handle.net/2078.1/200311