Conference PaperPDF Available

IoDDoS — The Internet of Distributed Denial of Service Attacks: A Case Study of the Mirai Malware and IoT-Based Botnets

Authors:
  • CAT Labs (https://catlabs.io/)

Abstract and Figures

The Internet of Things (IoT), a platform and phenomenon allowing everything to process information and communicate data, is populated by 'things' which are introducing a multitude of new security vulnerabilities to the cyber-ecosystem. These vulnerable 'things' typically lack the ability to support security technologies due to the required lightweightness and a rush to market. There have recently been several high-profile Distributed Denial of Service (DDoS) attacks which utilized a botnet army of IoT devices. We first discuss challenges to cybersecurity in the IoT environment. We then examine the use of IoT botnets, the characteristics of the IoT cyber ecosystem that make it vulnerable to botnets, and make a deep dive into the recently discovered IoT-based Mirai botnet malware. Finally, we consider options to mitigate the risk of IoT devices being conscripted into a botnet army.
Content may be subject to copyright.
IoDDoS — The Internet of Distributed Denial of Service Attacks
A Case Study of the Mirai Malware and IoT-Based Botnets
Roger Hallman, Josiah Bryan, Geancarlo Palavicini, Joseph Divita and Jose Romero-Mariona
US Department of Defense, SPAWAR Systems Center Pacific, San Diego, California, U.S.A.
Keywords: Internet of Things, Cybersecurity, Botnets, Mirai Malware, Emerging Threats.
Abstract: The Internet of Things (IoT), a platform and phenomenon allowing everything to process information and
communicate data, is populated by ‘things’ which are introducing a multitude of new security vulnerabilities to
the cyber-ecosystem. These vulnerable ‘things’ typically lack the ability to support security technologies due
to the required lightweightness and a rush to market. There have recently been several high-profile Distributed
Denial of Service (DDoS) attacks which utilized a botnet army of IoT devices. We first discuss challenges to
cybersecurity in the IoT environment. We then examine the use of IoT botnets, the characteristics of the IoT
cyber ecosystem that make it vulnerable to botnets, and make a deep dive into the recently discovered IoT-
based Mirai botnet malware. Finally, we consider options to mitigate the risk of IoT devices being conscripted
into a botnet army.
1 INTRODUCTION
On 20 September, 2016, the cybersecurity blog, Kreb-
sOnSecurity1, was the target of a massive Distributed
Denial of Service (DDoS) attack, exceeding 620 giga-
bits per second (GBps) (US-CERT, 2016). The attack
was initially unsuccessful, but nearly double the size
of the largest previously seen DDoS attack, according
to the internet security firm Akamai2, and the deci-
sion was made to suspend KrebsOnSecurity (Krebs,
2016b; Ragan, 2016). Less than a month later, a
DDoS attack was launched on the Domain Name Sys-
tem (DNS) provider Dyn3that was clocked at 1.2 ter-
abytes per second (TBps), the largest ever recorded
(Woolf, 2016). Both attacks were believed to have
been perpetrated by a conscripted botnet army, where
devices are infected by malware and connected to an
outside command and control (C&C) server, of Inter-
net of Things (IoT) devices (US-CERT, 2016; New-
man, 2016). There were additional reports of the
same family of IoT-based botnets launching DDoS
attacks against French webhost OVH (Bertino and Is-
lam, 2017) and Liberian mobile infrastructure (Krebs,
2016a). There have been growing concerns about
cybersecurity vulnerabilities in IoT systems that are
rushed to market, and the risk of IoT-based botnets
1http://krebsonsecurity.com/
2https://www.akamai.com/
3https://dyn.com/
has been theorized for several years (Holm, 2016;
Lin et al., 2014). The large DDoS attacks against
KrebsOnSecurity and Dyn demonstrate the magni-
tude of IoT security vulnerabilities and how unse-
cured ‘things’ on the internet may be conscripted into
an army capable of massive damage and disruption
(Symantec, 2016).
In this paper, we discuss the characteristics of the
IoT ecosystem that make its ‘things’ so vulnerable to
conscription for a massive botnet army and steps that
may be taken to mitigate these vulnerabilities. The
rest of this paper is organized as follows: Section
2 discusses IoT and gives examples of IoT environ-
ments as well as an overview of their cybersecurity
vulnerabilities. Section 3 gives a more in-depth anal-
ysis of botnets and DDoS attacks. Section 4 gives an
overview of the IoT-based botnets as well as an in-
depth analysis of the IoT-based botnet malware used
in the KrebsOnSecurity and Dyn DDoS attacks. Vul-
nerability mitigations will be dealt with in Section 5.
Finally, Section 6 will have concluding remarks.
2 THE IoT ECOSYSTEM
IoT is a platform and a phenomenon that allows ev-
erything to process information, communicate data,
and analyze context collaboratively or in the service
of individuals, organizations and businesses. IoT,
Hallman R., Bryan J., Palavicini G., Divita J. and Romero-Mariona J.
IoDDoS â ˘
Aˇ
T The Internet of Distributed Denial of Sevice Attacks - A Case Study of the Mirai Malware and IoT-Based Botnets.
DOI: 10.5220/0006246600470058
In Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security (IoTBDS 2017), pages 47-58
ISBN: 978-989-758-245-5
Copyright c
2017 by SCITEPRESS – Science and Technology Publications, Lda. All r ights reserved
47
with its ‘things’ connected to the Internet, is an in-
stantiation of the “Network of Things” concept (Voas,
2016). There are considerable benefits of having nu-
merous devices connected to larger infrastructures,
with utility to be gained in multiple contexts (e.g.,
home, industrial environments) (Gubbi et al., 2013).
IoT is an explosive market, with estimates that the
number of Internet-connected smart devices will more
than triple to around 40 billion in use by 2019 (Thierer
and Castillo, 2015).
2.1 The Home IoT Environment
There has been an explosive growth in the number
of Internet-connected household devices which al-
low for monitoring and controlling a “smart home”
(Sivaraman et al., 2015). These devices include
smart plugs, lights, and electrical switches which
give insight into power consumption. Appliances
may be remotely monitored and controlled such as
a garage door opener, thermostat, or oven. Children
or pets may be monitored remotely through Internet-
connected cameras and microphone systems.
Internet-connected smart homes typically make
use of a home automation system, with multiple com-
mercially available systems to choose from. These
systems tend to have a central C&C unit and a di-
verse array of lightweight, sensor-enabled devices
that monitor one or more aspects of an area (e.g., the
number of people who have entered a room). An in-
teresting aspect of many home automation systems is
that they can be controlled with little or no authen-
tication credentials; a great deal of their system se-
curity comes from a “firewall” feature of the home
router’s network address translation between public
and private Internet Protocol (IP) addresses (Sivara-
man et al., 2016).
2.2 The Industrial IoT Environment
Industrial processes have been automated for decades,
with machine-to-machine communication protocols
(e.g., Modbus/TCP) for Supervisory Control and Data
Acquisition (SCADA) and other industrial control
Systems (Boyer, 2009). SCADA and other legacy
machine-to-machine communication systems are still
widely used, however the descendant of these older
systems is the Industrial Internet. The Industrial Inter-
net is a form of IoT in which the things are objects in
manufacturing plants, utilities, dispatch centers, pro-
cess control industries, etc. (Stankovic, 2014). These
operational technology (OT) systems were tradition-
ally kept separate from their information technology
(IT) counterparts, but with the ubiquity of IP this sep-
aration is vanishing (Beel and Prasad, 2016).
2.3 An Overview of Iot Cybersecurity
Vulnerabilities
IoT cybersecurity vulnerabilities are well docu-
mented. Some of these include (Bertino and Is-
lam, 2017; Romero-Mariona et al., 2016; Cruz et al.,
2016):
Systems without well-defined parameters which
are continuously changing due to device and user
mobility.
Devices in an IoT system may be autonomous
themselves, functioning as a control for other IoT
devices.
IoT systems may include components which were
never intended to be connected to the Internet, or
communicate by standardized protocols.
IoT systems may be controlled by different par-
ties.
Granular permission requests, common in smart-
phone applications, are problematic in IoT sys-
tems due to the diversity and number of devices.
Firmware updates and system patching are diffi-
cult and often completely lacking.
Many IoT devices possess only the memory and
processing capabilities to accomplish their as-
signed task and consequently cannot support stan-
dard security solutions.
Devices often operate under unique constraints
(e.g., timing).
Device lifespans may continue for many years af-
ter vendor support has ceased (e.g., patching).
Vulnerable devices are deeply embedded within
networks.
An additional, detailed list of IoT cybersecurity vul-
nerabilities and attack vectors are described in Table
1.
3 BOTNETS AND DDoS ATTACKS
A botnet is an organized network of software robots,
or ‘bots’, that run autonomously and automatically on
zombie machines that have been infected by malware
(Hachem et al., 2011; Zhu et al., 2008). Botnets are
used to conduct DDoS attacks, distributed computing
(e.g., mining bitcoins), spread electronic spam and
malware, conduct cyberwarfare, conduct click-fraud
IoTBDS 2017 - 2nd International Conference on Internet of Things, Big Data and Security
48
Table 1: Internet of Things Cybersecurity Vulnerabilities and Attack Vectors. Adapted from the Open Web Application
Security Project Top 10 IoT Vulnerabilities (www.owasp.org/index.php/Top IoT Vulnerabilities).
Vulnerability Attack Vectors
Insecure Interfaces Weak credentials, capture of plain-text credentials, insecure password recovery
systems, or enumerated accounts, and lack of transport encryption may be used
to access data or controls.
Insufficient Authentication
and Authorization
Weak passwords, insecure password recovery mechanisms, poorly protected
credentials, and lack of granular access control may enable an attacker to ac-
cess a particular interface.
Insecure Network Services Vulnerable networks services may be used to attack a device or bounce an
attack off of a device.
Lack of Transport Encryp-
tion/Integrity Verification
The lack of transport encryption allows an attacker to view data being passed
over the network.
Privacy Concerns Insecure interfaces, insufficient authentication, lack of transport encryption,
and insecure network services all allow an attacker to access data which is
improperly protected and may have been collected unnecessarily.
Insufficient Security Config-
urability
A lack of granular permissions, lack of encryption or password options may
allow an attacker to access device data and controls. An attack (malicious or
inadvertent but benign) could come from any device in an IoT system.
Insecure Software/Firmware Update files captured through unencrypted connections may be corrupted, or
an attacker may distribute a malicious update by hijacking a DNS server.
Poor Physical Security USB ports, SD cards, and other storage means allow attackers access to device
data and operating systems.
scams, and steal personal user information. They
are arguably the most potent threat to the security of
Internet-connected systems and users (Khattak et al.,
2014). A “botmaster” will seize control of a network
of infected computers and through a C&C system di-
rect the infected computers to conduct malicious ac-
tivities. More sophisticated botnets decentralize their
C&C system by structuring their network in a peer-
to-peer (P2P) manner such that any one infected com-
puter will only communicate with a small number of
‘locally’ infected computers. This makes the detec-
tion of all the infected computers, the bots that com-
prise the botnet, difficult. Botnets, like virtually all
cyber-threats, have typically been targeted against IT
systems, but there are several recent incidences of
their use in attacks on OT systems.
The Internet was designed with functionality as
a primary concern with security often as an af-
terthought, and consequently there are very limited
resources available for the purpose. The first well-
known DDoS attack was against the University of
Minnesota in 1999, attacking university servers with
User Datagram Protocol (UDP) packets from thou-
sands of machines for two days (Boyle, 2000). DDoS
attacks have increased in frequency and size, com-
monly being used in conjunction with conventional
warfare methods during times of conflict (Nazario,
2009). Because of the ease of conducting an at-
tack there are DDoS-for-hire services run by cyber-
criminals (Santanna et al., 2015). Figure 1 illustrates
a botnet-conducted DDoS attack.
Figure 1: A simplified model of a botnet conducting a
DDoS attack. Once an army of infected and conscripted
bots has been assembled, the botmaster issues attack in-
structions via proxy C&C servers in (1). The C&C servers
disseminate their attack instructions to their conscripted
bots in (2). In (3), the conscripted botnet army proceeds
to overwhelm the targeted victim’s system with a series of
short but continual attacks.
A recent high profile botnet malware incident was
the use of BlackEnergy in the attack which took down
the Ukrainian power grid in December, 2015 (Khan
et al., 2016). The BlackEnergy malware was first de-
scribed in 2007 (Nazario, 2007) as a simple Hypertext
Transfer Protocol (HTTP) based botnet which used
encryption at runtime to avoid detection. The vic-
IoDDoS â ˘
Aˇ
T The Internet of Distributed Denial of Sevice Attacks - A Case Study of the Mirai Malware and IoT-Based Botnets
49
tims of this early BlackEnergy malware were the dis-
tributed compromised systems and the end targeted
systems of the DDoS attack. Arbor Networks located
27 active DDoS networks in Russia and Malaysia
with targets in Russian IP space (Khan et al., 2016).
There is wide speculation that Russia used the Black-
Energy malware to launch a DDoS attack during the
Russian-Georgian Conflict in 2008, although this has
never been conclusively proven (Nazario, 2009). The
software controlling several national critical infras-
tructures including electric grids, water filtration sys-
tems, and oil and gas pipelines have been compro-
mised by BlackEnergy since 2011 (Pultarova, 2016a).
NATO Headquarters was also the victim of a Black-
Energy attack (Khan et al., 2016).
The Ukranian incident involved a coordinated at-
tack on three power distribution companies, utilizing
a new variant of BlackEnergy to illegally enter the
companies’ IT and OT systems. Opening the break-
ers to seven substations resulted in a power outage to
more than 225,000 people. This variant of BlackEn-
ergy included a KillDisk function which erased sev-
eral systems and corrupted the master boot records
in all three companies, extending the power outage.
While the BlackEnergy malware was not utilized as a
botnet in the classical sense, its use during the recon-
naisance phase of the attack shows the dangerous ver-
satility of botnet malware in coordinated cyber attacks
(Lee et al., 2016). Moreover, custom firmware was
deployed for serial-to-Ethernet converters which dis-
abled devices and prevented technicians from restor-
ing power until they bypassed those converters (Khan
et al., 2016).
3.1 A Taxonomy for DDoS Attacks
Specht and Lee (Specht and Lee, 2004) propose a tax-
onomy for DDoS attacks consisting, at the highest
level, of Bandwidth Depletion Attacks and Resource
Depletion Attacks. They describe Resource Depletion
Attacks as flooding the victim network with unwanted
traffic that prevents legitimate traffic from reaching
the victim. A Resource Depletion Attack ties up the
victim system’s resources, making the processing of
legitimate requests for service impossible.
3.1.1 Bandwidth Depletion DDoS Attacks
Bandwidth Depletion Attacks are characterized as ei-
ther flood or amplification attacks (Specht and Lee,
2004). Specifically, these types of attacks are distin-
guished by adversary-controlled botnets which flood
their victims with IP traffic and ultimately saturate
their network and resources (Okafor et al., 2016).
These attacks are usually aimed at making the victims
unreachable or disabling their services (Gasti et al.,
2012).
3.1.1.1 Flood Attacks
Flood attacks involve a conscripted botnet army send-
ing extraordinarily large volumes of traffic to a victim
network with the intent of congesting it to the point
of service degradation, or a crash. Some examples
of Flood attacks include (Singh and Gyanchandani,
2010):
UDP flooding is a host-based attack which send a
large number of UDP packets to a random port on
the target system, causing it to fail.
Ping of Death, or Internet Control Message Pro-
tocol (ICMP) flood attacks use a ping utility to
create IP packets exceeding the maximum 65,536
bytes allowed by IP specification. The over-sized
packets are sent to the target system causing it to
crash, hang, or reboot.
3.1.1.2 Amplification Attacks
Amplification attacks involve the conscripted botnet
army sending messages to a broadcast IP address, a
feature found on many routers. All systems in the
subnet reached by the broadcast address send a re-
ply to the targeted victim system. The broadcast IP
address amplifies and reflects attack traffic to reduce
the victim system’s bandwidth. Examples of amplifi-
cation attacks include (Specht and Lee, 2004; Singh
and Gyanchandani, 2010):
Smurf attacks generate large amounts of traffic on
the targeted victim’s computer. Packets are sent
as a direct broadcast to a subnet of a network to
which all of the subnet’s systems reply. However,
the packets’ source IP address is spoofed to be the
targeted victim, which is then flooded.
Fraggle attacks send packets to a network ampli-
fier using UDP ECHO packets which target the
character generator in the systems reached by the
broadcast address. Each system then generates a
character to send to the echo service in the victim
system, which causes an echo packet to be sent
back to the character generator.
IoTBDS 2017 - 2nd International Conference on Internet of Things, Big Data and Security
50
3.1.2 Resource Depletion DDoS Attacks
Resource depletion attacks are characterized by an at-
tacker sending packets that are malformed or misuse
communication protocols, using network resources to
such an extent that there are none left for legitimate
users (Specht and Lee, 2004). The main difference
between a resource depletion attack and a bandwidth
depletion attack is that the former aims at exhaust-
ing the resources as opposed to the latter which at-
tempts to deny critical services (Amiri and Soltanian,
2015). Furthermore, resource depletion attacks can
allow adversaries to consume more energy in a net-
work than an honest node, thus affecting the actual
physical resources of certain IoT components (Gaya-
tri and Naidu, 2015).
3.1.2.1 Protocol Exploit/Misuse Attacks
Protocol exploit attacks misuse common Internet
communication protocols, such as Transfer Control
Protocol Synchronize (TCP SYN) and Acknowledge
(ACK). Examples of Protocol exploit attacks include
(Specht and Lee, 2004; Singh and Gyanchandani,
2010):
TCP SYN flooding uses a conscripted botnet army
to initiate an overwhelming number of three-way
handshakes to initialize new TCP connections.
The source IP address is spoofed, causing the vic-
tim system to send ACK+SYN responses to a non-
requesting system. The victim system eventually
runs out of memory and processor resources after
none of the ACK+SYN responses are returned.
PUSH + ACK attacks involve sending the targeted
victim TCP packets with PUSH and ACK bits set
to 1, causing the victim to unload all data in the
TCP buffer and send an acknowledgement once
this is completed. The targeted system cannot
process the large volume of packets from multi-
ple senders and crashes.
3.1.2.2 Malformed Packet Attacks
Malformed packet attacks involve a botnet army send-
ing the targeted victim incorrectly formed IP packets,
which cause the victim system to crash. There are
two types of malformed packet attacks (Specht and
Lee, 2004):
IP address attacks where the packet contains the
same source and destination IP addresses. This
confuses and crashes the targeted victim’s operat-
ing system.
IP packet options attacks involve randomizing an
optional field within IP packets sent from the bot-
net army, setting all quality of service bits to 1.
The targeted victim must use additional process-
ing resources to analyze the traffic, exhausting its
processing ability.
IoDDoS â ˘
Aˇ
T The Internet of Distributed Denial of Sevice Attacks - A Case Study of the Mirai Malware and IoT-Based Botnets
51
4 IoT-BASED BOTNETS AND THE
DDoS ATTACKS OF 2016
The number of Internet-connected devices in the IoT
environment is expected to triple by 2019 (Thierer
and Castillo, 2015). The consequence of this rush to
put products on the market is insufficient security de-
signed into systems (Romero-Mariona et al., 2016).
This poor security makes IoT devices soft targets,
and attacks on IoT devices have been long predicted.
While there has been concern about the hijacking of
various devices in the home or industrial ecosystems
to exfiltrate information on individual victims, IoT de-
vices are also easily conscripted into botnet armies for
multi-platform DDoS attacks (Symantec, 2016).
There were eight families of IoT malware families
discovered in 2015 (Symantec, 2016):
The Zollard worm exploits the Hypertext Pre-
processor (PHP) ‘php-cgi’ Information disclosure
vulnerability that was patched in 2012. Once in-
fected, a backdoor on a TCP port opens to allow
remote command execution.
Linux.Aidra spreads through TCP on port 23 and
looks for common username and password com-
bination in order to login into devices. A back-
door is opened on the device and the infected de-
vice is conscripted into a botnet army that uses
floods of TCP packets, UDP packets, or DNS re-
quests.
XOR.DDos opens a backdoor in its device and
uses COR encryption in both the malware code
and in C&C server communication and its main
function is to conduct DDoS attacks.
Bashlite-infected devices become part of a bot-
net army for launching DDoS attacks of EDP and
TCP floods. It also contains a function to brute-
force routers with common username and pass-
word combinations and can collect CPU informa-
tion from infected devices.
LizardStresser was reputedly created by the
Lizard Squad hacker group and has the ability to
launch DDoS attacks. It is distributed by scan-
ning public IP addresses for Telnet services and
will attempt a variety of common username and
password combinations. After a successful logon,
it reports back to its C&C server and awaits fur-
ther instruction.
AES.DDoS uses the AES algorithm to encrypt
communication with its C&C server. It carries out
DDoS attacks, but also collects information about
the compromised device and sends it to the C&C
server.
PNScan is a Trojan that scans a network segment
for devices with an open port 22 and attempts
a bruteforce login with common username and
password combinations. It does not have botnet
functionalities, but can be used to download bot-
net malware like Tsunami.
The Tsunami Trojan is used to launch DDoS at-
tacks. It modifies files in such a way that it gets
run each time a user logs in or a device boots up.
Moreover, Tsunami is known to kill processes,
download and execute various files, and spoof IP
addresses of the infected device.
4.1 The Mirai Malware Family
The Mirai botnet malware, which was utilized for the
DDoS attacks against KrebsOnSecurity, Dyn, OVH,
and others, is part of a Trojan IoT malware family
that was first discovered in May 2016 (Dr.Web, 2016).
The initial malware was named Linux.DDoS.87,
a later variant named Linux.DDoS.89 and finally
Linux.Mirai (referred to simply as ‘Mirai’) were dis-
covered in August. We highlight Linux.DDoS.87 and
Linux.DDoS.89 before an in-depth examination of
the Mirai Malware.
4.1.1 Linux.DDoS.87
Linux.DDoS.87 is a malicious program that uses the
uClibc4C Library for embedded systems and car-
ries out DDoS attacks. Prior to receiving and exe-
cuting commands, the malware makes the following
calls: fillConfig,init random,runkiller, and
fillCmdHandlers.
The fillConfig function uses a memory sector
to store configuration information and some strings
may be stored in encrypted ELF files and decrypted
prior to recording. The generation of pseudo-random
sequences is achieved by the init random function.
Linux.DDoS.87 displays a certain “territorial” behav-
ior with a runkiller function that searches for the
running processes of other Trojans and terminates
them. fillCmdHandlers is a function that fills the
structure that stores command handlers. Once these
commands are run, Linux.DDoS.87 removes its name
to hide itself and child processes are subsequently
launched with simplified code and containing no re-
quests to the configuration. The Linux.DDoS.87 Tro-
jan has a maximum uptime of one week on an infected
machine before it terminates its operation (Dr.Web,
2016).
Linux.DDoS.87 then attempts to connect to a
C&C server. The IP address of the used interface is
4https://uclibc.org/
IoTBDS 2017 - 2nd International Conference on Internet of Things, Big Data and Security
52
saved and a string containing information on the ar-
chitecture of the infected device is sent to the C&C
server. The process function parses command argu-
ments and fills respective structures (e.g., target ip,
sockaddr, etc.) and a run command function is called
after parsing is completed. This function receives a
time value, command number, quantities and arrays
of targets and parameters. Linux.DDoS.87 is capa-
ble of the following attacks: HTTP flood, UDP flood,
TCP flood, Domain Name System (DNS) flood, and
TSource Engine Query (TSource) flood among others
(Dr.Web, 2016).
4.1.2 Linux.DDoS.89
Discovered in early August 2016, Linux.DDoS.89
is a modified version of Linux.DDoS.87 (Dr.Web,
2016). The command format is unchanged from
Linux.DDoS.87, but fields in some of the Trojan’s
structures have been moved. Rather than reallocat-
ing memory, a statically allocated area of memory is
used. A decode function decrypts stored configura-
tion values by an XOR operation and then re-encrypts
the value after use. Linux.DDoS.89’s pseudo-random
number generator as well as its order of performed
operations are different from Linux.DDoS.87.
It first starts operating with signals, installing
signal handlers but ignoring SIGINT. Once the IP
addresses of the network interface are received,
Linux.DDoS.89 connects to the Internet via a Google
DNS server and a local server is launched. Once the
local server is launched, the C&C server information
is added to the sockaddr in structure. A SIGTRAP
signal is used for changing C&C servers. Finally, a
runkiller function uses PID. It will not terminate a
process if its PID is the same as the current or parental
process.
Linux.DDoS.89 uses a run scanner function that
is copied from the Linux.BackDoor.Fgt Trojan fam-
ily. It is capable of the following attacks: UDP flood,
TSource flood, DNS flood, TCP flood, UDP over
Generic Routing Encapsulation (GRE) flood, and
Thread Environment Block (TEB) over GRE flood.
4.2 The Mirai Malware
The DDoS attacks on KrebsOnSecurity and Dyn were
the largest known attacks to date (Woolf, 2016).
The attacks were perpetrated using the Mirai mal-
ware which scans the Internet for unsecured IoT
devices and has been active since at least August
2016, usually conscripting armies of CCTV cameras
(Zeifman et al., 2016; Pultarova, 2016b). Indeed,
since the source code was made publicly available,
there have been several low-volume application layer
HTTP floods which were characterized by relatively
low requests per second counts and small numbers of
source IPs and were likely new users of the malware
making test runs (Zeifman et al., 2016).
Mirai infects IoT devices and uses them as a
launch platform for DDoS attacks, as shown in Fig-
ure 2. Mirai’s C&C module is coded in Go5, its bots
are coded in C, and communication betwen infected
devices and the C&C server often occurs over port
48101 (US-CERT, 2016). Port 48101 is also used for
control purposes, coordinating bot instances (Mirai,
2016). Mirai performs wide-ranging scans of IP ad-
dresses in order to locate IoT devices that could be re-
motely accessed via easily guessable login credentials
(Moffitt, 2016). Specifically, Mirai uses a dictionary
attack of at least 62 common default usernames and
passwords to gain access to networked cameras, dig-
ital video recorders, and home routers (Bertino and
Islam, 2017). The attack function enables Mirai to
launch HTTP floods and various network DDoS at-
tacks. Mirai is capable of launching Generic Routing
Encapsulation (GRE) IP and GRE Ethernet encapsu-
lation (ETH) floods, as well as SYN and ACK floods,
STOMP (Simple Text Oriented Message Protocol)
floods, DNS floods and UDP flood attacks (Loshin,
2016). Interestingly, Mirai bots are programmed to
avoid certain IPs when performing their IP scans, in-
cluding the US Postal Service, the Department of
Defense, the Internet Assigned Numbers Authority
(IANA) and IP ranges belonging to Hewlett-Packard
and General Electric (Zeifman et al., 2016). Mirai
also has a segmented C&C feature which allows its
botnet to launch multiple DDoS attacks against mul-
tiple, unrelated targets (Loshin, 2016). Much like
its predecessors, the Mirai malware displays territo-
rial characteristics, for instance it’s runkiller hunt-
ing for and destroying competing malware such as
Anime’6, and closing all processes that use SSH, Tel-
net, or HTTP ports. Analysis of the Mirai malware
code shows that, in spite of the English C&C inter-
face, there are Russian strings in the code and this has
led to speculation that the malware originates from
Russian hackers (Zeifman et al., 2016).
The Mirai attacks against KrebsOnSecurity and
Dyn were so large that early estimates suggested that
more than 10,000,000 devices had been conscripted
for the botnet army (Zeifman et al., 2016), however
later forensics determined that the attack on Dyn may
have involved only 100,000 Mirai-infected devices
(Woolf, 2016). Thus far, Mirai malware has been
found to have infected 500,000 or more devices in 164
countries (Zeifman et al., 2016; Loshin, 2016).
5https://golang.org/
6https://evosec.eu/new-iot-malware/
IoDDoS â ˘
Aˇ
T The Internet of Distributed Denial of Sevice Attacks - A Case Study of the Mirai Malware and IoT-Based Botnets
53
Figure 2: The Mirai Botnet Malware DDoS workflow, adapted from Level 3 Threat Research (http://netformation.com/level-
3-pov/how-the-grinch-stole-iot). In (1), the botmaster maintains connection to the reporter server via a TOR connection. In
(2), scan results are sent to the reporter servers. IP addresses of vulnerable IoT devices are sent to loaders in (3). In (4), loaders
log into devices and instruct them to download the Mirai botnet malware. As in structed, the vulnerable IoT devices download
and run the Mirai botnet malware (5) and are conscripted into a Mirai botnet (6). The botnet maintains communication with
the C&C servers in (7) which constantly change their IP addresses. Finally, the Mirai botnet army conducts a DDoS attack,
primarily with TCP and UDP floods in (8).
4.2.1 Analysis of Mirai Botnet C&C Behavior
The C&C portion of the Mirai malware (Mirai, 2016)
contains code for handling connections, adding new
clients (bots) to the conscripted botnet army, connect-
ing admin consoles, accepting API calls, and crafting
and delivering attacks for bot execution. Its database
is called mirai and server listens for connections on
the loop-back address only, with a default authentica-
tion of root and password. The main.go file man-
ages initial communication, setup, and handling of in-
coming requests:
1. The C&C server opens up listening ports on port
23 for telnet connections and on port 101 for re-
mote API calls on all IPv4 addresses.
2. A lightweight thread to handle API connections
on port 101 is created.
3. The C&C server goes into an infinite loop waiting
for telnet connections.
4. The botmaster is alerted if the C&C server fails.
4.2.1.1 apiHandler
The apiHandler function (in main.go) uses func-
tionality from api.go to first set a timeout for ac-
cepting API commands. Once it has retrieved the
command, the format for an API call embeds the
API user’s key with the command to verify that the
user is allowed access to the API and can request
attacks. Among other processes, it also checks the
users’ key against the database, creates a new attacks,
and queues attack command for delivery to bots. In
api.go, lines 24-30:
this.conn.SetDeadline(time.Now().Add(60 *
time.Second))
IoTBDS 2017 - 2nd International Conference on Internet of Things, Big Data and Security
54
cmd, err := this.ReadLine()
if err != nil {
this.conn.Write([]byte("ERR|Failed
reading line\r\n"))
return
}
passwordSplit := strings.SplitN(cmd, "|",
2)
Line 52:
atk, err := NewAttack(cmd,
userInfo.admin)
Line 57:
buf, err := atk.Build()
And line 71:
clientList.QueueBuf(buf, botCount, "")
4.2.1.2 NewAttack
NewAttack is a function in the attack.go file which
is used to parse attack commands received, set at-
tack type and duration, as well as network targets.
NewAttack also has the ability to modify attack be-
havior. From attack.go, we highlight excerpts from
lines 197-316:
func NewAttack(str string, admin int)
(*Attack, error) {
...
var atkInfo AttackInfo
if len(args) == 0 {
return nil, errors.New("Must specify
an attack name")
}else {
if args[0] == "?" {
validCmdList := "\033[37;1mAvailable
attack list\r\n\033[36;1m"
for cmdName, atkInfo := range
attackInfoLookup {
validCmdList += cmdName + ": " +
atkInfo.attackDescription + "\r\n"
}
return nil, errors.New(validCmdList)
}
var exists bool
atkInfo, exists =
attackInfoLookup[args[0]]
if !exists {
return nil, errors.New(fmt.Sprintf("\033
[33;1m%s\033[31mis not a valid
attack!",
args[0]))
}
atk.Type = atkInfo.attackID
...
}
4.2.1.3 admin.go
admin.go manages authentication and welcomes
users to Mirai’s C&C administration console. This
console provides functionality for the following com-
mands: adduser,botcount,quit, and exit. It car-
ries traces of potential Russian origin within the man-
agement interface, for example its prompt text,
я люблю куриные наггетсы
which translates to ‘I love chicken nuggets’. More
useful Russian strings in the administration console
include,
произошла неизвестная ошибка
which translates to ‘An unknown error occurred’, and
нажмите любую клавишу для выхода
which translates to ‘Press any key to exit’.
4.2.2 Analysis of Mirai Botnet Client Behavior
An analysis of the Mirai source code (Mirai, 2016)
illustrates the client’s behavior and workflow as fol-
lows:
1. The Trojan is launched, it immediately removes
its own executable from the disk and blocks SIG-
INT signals.
2. The Mirai malware attempts to open the
watchdog process, specifically /dev/watchdog
and /dev/misc/watchdog for reading/writing
and disables it.
3. The Mirai Trojan then attempts to obtain the IP
address of its network by sending a request to
Google’s Public DNS server at the IP address
8.8.8.8 on port 53.
4. Mirai next calculates a function from argv[0]
which will return an index in an array of com-
mands to run (an integer from 0-8), and will sub-
sequently open a local socket on the device.
5. Mirai then renames itself (to a random string),
forks a child process, and executes the functions
attack init,killer init, and scanner init,
which are described in detail below.
4.2.2.1 attack init
The function attack init contains structures that
consist of attack handlers. In attack.c, lines 26-41:
add attack(ATK VEC UDP,
(ATTACK FUNC)attack udp generic);
add attack(ATK VEC VSE,
(ATTACK FUNC)attack udp vse);
add attack(ATK VEC DNS,
(ATTACK FUNC)attack udp dns);
IoDDoS â ˘
Aˇ
T The Internet of Distributed Denial of Sevice Attacks - A Case Study of the Mirai Malware and IoT-Based Botnets
55
add attack(ATK VEC UDP PLAIN,
(ATTACK FUNC)attack udp plain);
add attack(ATK VEC SYN,
(ATTACK FUNC)attack tcp syn);
add attack(ATK VEC ACK,
(ATTACK FUNC)attack tcp ack);
add attack(ATK VEC STOMP,
(ATTACK FUNC)attack tcp stomp);
add attack(ATK VEC GREIP,
(ATTACK FUNC)attack gre ip);
add attack(ATK VEC GREETH,
(ATTACK FUNC)attack gre eth);
//add attack(ATK VEC PROXY,
(ATTACK FUNC)attack app proxy);
add attack(ATK VEC HTTP,
(ATTACK FUNC)attack app http);
return TRUE;
4.2.2.2 killer init
The next function killer init, located in
killer.c, initializes the killer which terminates
Secure Shell (SSH), HTTP, and telnet services and
prevents them from restarting. This same file also
contains a function called memory scan match that
searches memory for other malware residing on the
system. In killer.c, lines 39-49:
#ifdef KILLER REBIND TELNET
#ifdef DEBUG
printf("[killer] Trying to kill port
23\n");
#endif
if (killer kill by port(htons(23)))
{
#ifdef DEBUG
printf("[killer] Killed tcp\23
(telnet)\n");
#endif
}
And lines 215-221:
if (memory scan match(exe path))
{
#ifdef DEBUG
printf("[killer] Memory scan match
for binary %s\n", exe path);
#endif
kill(pid, 9);
}
4.2.2.3 scanner init
scanner init initializes the scanner scanner.c,
which generates random IP addresses to scan (with
the exception of those listed in Section 4.2), and con-
tains 62 default username and password sets used to
brute force other devices (scanner.c lines 124-185).
Examples of these (username,password) sets in-
clude:
(admin,admin), line 127.
(admin,password), line 136.
(admin,1111), line 145.
(admin1,password), line 156.
(ubnt,ubnt), line 160.
(root,user), line 172.
(admin,pass), line 182.
(tech,tech), line 184.
4.3 A Potential Vulnerability in the
Mirai Botnet Malware
Interestingly, after reviewing the code for the Mirai
C&C server, there appear to be SQL injection vulner-
abilities within the server code. There is a lack of
input validation on the C&C server code which could
lead to a specially crafted API call to be used to leak
information or gain unauthorized access to the botnet.
5 DEFENDING AGAINST
CONSCRIPTION INTO A
MIRAI IoT-BASED BOTNET
The Mirai malware is designed to conduct wide-
ranging IP scans as it searches for IoT devices. Since
the Mirai malware infects IoT devices that have com-
mon factory default usernames and passwords, the
most obvious method for securing IoT devices is
to change the passwords and/or usernames (Zeifman
et al., 2016). Indeed, if a device is infected with
Mirai then simply shutting it down and restarting it
will disinfect it, however unless the login credentials
are modified it is almost guaranteed to be reinfected
within a few minutes (Moffitt, 2016; Zeifman et al.,
2016). The United States Computer Emergency Re-
sponse Team recommends taking the following steps
to remove Mirai malware from infected devices (US-
CERT, 2016):
1. Disconnect device from the network.
2. Perform a reboot of the device while disconnected
to clear the malware from the dynamic memory.
3. Ensure that the device password has been changed
from the factory default.
4. Reconnect the device to the network only after re-
booting and ensuring that its password has been
changed.
IoTBDS 2017 - 2nd International Conference on Internet of Things, Big Data and Security
56
There are many preventative measures that can be
taken to strengthen an IoT system’s resistance to Mi-
rai and other malware, assuming that its devices are
not currently infected (US-CERT, 2016):
Change device passwords before deployment on a
network.
Update IoT devices with security patches as they
become available.
Disable Universal Plug and Play on routers unless
necessary.
Monitor IP ports 2323/TCP and 23/TCP for at-
tempts to gain unauthorized control of devices us-
ing network terminal protocol.
Monitor port 48101 for suspicious traffic.
Additionally, IoT devices and systems should be pur-
chased from manufacturers and vendors with a repu-
tation for providing secure products. Users and sys-
tem administrators should be aware of the capabili-
ties of devices and systems that they are bringing into
their homes and businesses; this may include medi-
cal devices or vehicles. It must be understood that
if a device uses or transmits data then it may be vul-
nerable to infection. If a device comes with a default
password or an open Wi-Fi connection, these must be
secured by changing the password and only allowing
it to operate on wireless networks with a secure router.
It is speculated that the DDoS attacks—
extraordinarily effective thus far—have been
perpetrated by non-state actors. As more and more
devices are connected to the Internet, the security
vulnerabilities of the IoT ecosystem will multiply
with ever-more devastating consequences. The Mirai
malware has taken advantage of IoT security vulner-
abilities to spectacular effect, but it will certainly not
be not the last malware to do so.
6 CONCLUSION
The Mirai malware is responsible for conscripting at
least 500,000 IoT devices in 164 countries into a bot-
net army and launching DDoS attacks on a cyberse-
curity blog, a DNS provider in the United States, and
numerous targets internationally. These IoT-botnet
armies are capable of launching DDoS attacks that
are larger than ever seen before, with rates exceeding
1 TBps. IoT offers revolutionary advances in many
contexts, from the home to almost every type of busi-
ness, but internet-connected ‘things’ bring security
vulnerabilities as they enter the cyber ecosystem.
This paper discussed the IoT ecosystem and some
of the benefits and vulnerabilities that are unique to
its various environments (e.g., home use versus in-
dustrial use IoT). It discussed botnets and DDoS at-
tacks, giving a taxonomy for DDoS attacks as well
as examples, and using the BlackEnergy malware as
an illustrative example of botnet malware being uti-
lized in a coordinated campaign, before discussing the
DDoS attacks by Mirai malware-infected IoT botnet
armies. We reviewed the Mirai malware family, in-
specting the source code for various processes of both
the C&C and client modules. During our analysis of
the Mirai malware code, we discovered a vulnerabil-
ity to SQL injection attacks which render the botnet
susceptible to a counterattack. We are currently re-
searching the extent of this vulnerability. The Mi-
rai malware is a very recently released malware that
scans IP addresses searching for IoT devices with fac-
tory default usernames and passwords. Because the
vulnerabilities that it seeks out are easily remedied,
IoT devices can be strengthened against it with rela-
tive ease. (However, like BlackEnergy, future variants
of the Mirai malware will likely prove much more dif-
ficult to defend against.)
The IoT ecosystem is so heavily populated with
unsecured devices, and the number of these devices
is expected to grow exponentially over the coming
years, it is therefore reasonable to expect IoT-based
DDoS attacks to become much more commonplace.
Indeed, there is a Twitter feed7which continually
monitors for Mirai botnet attacks worldwide. The
Mirai malware attacks targeted a cybersecurity blog
and a DNS provider, with consequences that were fi-
nancial in nature. It is not unreasonable to anticipate
and prepare for large-scale IoT-based botnet DDoS at-
tacks on critical infrastructure, which would certainly
have more serious and disastrous results.
ACKNOWLEDGEMENTS
This research was funded by the Office of Naval Re-
search’s Energy System Technology Evaluation Pro-
gram8. The authors would also like to convey their
gratitude to the Civilian and Uniform leadership at
SPAWAR Systems Center Pacific and the United
States Department of the Navy for their support of
our cybersecurity research efforts.
7https://twitter.com/miraiattacks
8http://www.aptep.net/partners/estep/
IoDDoS â ˘
Aˇ
T The Internet of Distributed Denial of Sevice Attacks - A Case Study of the Mirai Malware and IoT-Based Botnets
57
REFERENCES
Amiri, I. S. and Soltanian, M. R. K. (2015). Theoretical and
Experimental Methods for Defending Against DDoS
Attacks. Syngress.
Beel, J. and Prasad, R. (2016). Internet of everything (ioe):
Information technology (it) and operational technol-
ogy (ot). In Proceedings of the 2016 Advanced Ma-
chinery Technology Symposium. American Society of
Naval Engineers.
Bertino, E. and Islam, N. (2017). Botnets and internet of
things security. Computer, 50(2):76–79.
Boyer, S. A. (2009). SCADA: supervisory control and data
acquisition. International Society of Automation.
Boyle, P. (2000). Idfaq: Distributed denial of ser-
vice attack tools: trinoo and wintrinoo. Avail-
able at https://www.sans.org/security-resources/id
faq/distributed-denial-of-service-attack-t ools-trinoo-
and-wintrinoo/9/10 (2016/11/01).
Cruz, T., Queiroz, R., Sim˜
oes, P., and Monteiro, E. (2016).
Security implications of scada ics virtualization: sur-
vey and future trends. In ECCWS2016-Proceedings fo
the 15th European Conference on Cyber Warfare and
Security, page 74. Academic Conferences and pub-
lishing limited.
Dr.Web (2016). Investigation of
linux.mirai trojan family. Available at
https://st.drweb.com/static/new-www/news/2
016/september/Investigation of Linux.Mirai Tro-
jan family en.pdf (2017/02/21).
Gasti, P., Tsudik, G., Uzun, E., and Zhang, L. (2012). Dos &
ddos in named-data networking. arxive-prints. Tech-
nical report, Tech Rep 1208.0952 v2.
Gayatri, V. and Naidu, K. K. (2015). Resource depletion
attacks in wireless ad-hoc sensor networks. Inter-
national Journal of Innovative Research in Computer
and Communication Engineering, 3(6):81–86.
Gubbi, J., Buyya, R., Marusic, S., and Palaniswami, M.
(2013). Internet of things (iot): A vision, architectural
elements, and future directions. Future Generation
Computer Systems, 29(7):1645–1660.
Hachem, N., Mustapha, Y. B., Granadillo, G. G., and De-
bar, H. (2011). Botnets: lifecycle and taxonomy. In
Network and Information Systems Security (SAR-SSI),
2011 Conference on, pages 1–8. IEEE.
Holm, E. (2016). The role of the refrigerator in identity
crime? Cyber-Security and Digital Forensics, page 1.
Khan, R., Maynard, P., McLaughlin, K., Laverty, D., and
Sezer, S. (2016). Threat analysis of blackenergy mal-
ware for synchrophasor based real-time control and
monitoring in smart grid.
Khattak, S., Ramay, N. R., Khan, K. R., Syed, A. A., and
Khayam, S. A. (2014). A taxonomy of botnet be-
havior, detection, and defense. IEEE communications
surveys & tutorials, 16(2):898–924.
Krebs, B. (2016a). Did the mirai botnet re-
ally take liberia offline? Available at
https://krebsonsecurity.com/2016/11/did-th e-mirai-
botnet-really-take-liberia-offline / (2017/02/21).
Krebs, B. (2016b). Krebsonsecurity hit
with record ddos. Available at
https://krebsonsecurity.com/2016/09/krebso
nsecurity-hit-with-record-ddos/ (2016/09/22).
Lee, R. M., Assante, M. J., and Conway, T. (2016). Analysis
of the cyber attack on the ukrainian power grid. SANS
Industrial Control Systems.
Lin, K.-C., Chen, S.-Y., and Hung, J. C. (2014). Botnet de-
tection using support vector machines with artificial
fish swarm algorithm. Journal of Applied Mathemat-
ics, 2014.
Loshin, P. (2016). Details emerging on dyn dns
ddos attack, mirai iot botnet. Available
at http://searchsecurity.techtarget.com/news/
450401962/Details-emerging-on-Dyn-DNS-DDoS
-attack-Mirai-IoT-botnet (2016/11/01).
Mirai (2016). Github: Mirai source code. Avail-
able at https://github.com/jgamblin/Mirai-Source-C
ode (2017/02/22).
Moffitt, T. (2016). Source code for mi-
rai iot malware released. Available at
https://www.webroot.com/blog/2016/10/10/so urce-
code-mirai-iot-malware-released/ (2016/11/01).
Nazario, J. (2007). Blackenergy ddos bot analysis. Arbor.
Nazario, J. (2009). Politically motivated denial of service
attacks. The Virtual Battlefield: Perspectives on Cyber
Warfare, pages 163–181.
Newman, L. H. (2016). What we know about fri-
day’s massive east coast internet outage. Available
at https://www.wired.com/2016/10/internet-out age-
ddos-dns-dyn/ (2016/10/21).
Okafor, K., Okoye, J. A., and Ononiwu, G. (2016). Vulnera-
bility bandwidth depletion attack on distributed cloud
computing network: A qos perspective. International
Journal of Computer Applications, 138(7):18–30.
Pultarova, T. (2016a). Cyber security-ukraine grid hack is
wake-up call for network operators [news briefing].
Engineering & Technology, 11(1):12–13.
Pultarova, T. (2016b). Webcam hack shows vulnerabil-
ity of connected devices. Engineering & Technology,
11(11):10–10.
Ragan, S. (2016). Some thoughts on the krebs situa-
tion: Akamai made a painful business call. Available
at http://www.csoonline.com/article/3123797/s ecu-
rity/so me-thoughts-on-the-krebs-situat ion-akamai-
made-a-painful-business-call.ht ml (2016/11/07).
Romero-Mariona, J., Hallman, R., Kline, M., Miguel, J. S.,
Major, M., and Kerr, L. (2016). Security in the indus-
trial internet of things - the c-sec approach. In Pro-
ceedings of the International Conference on Internet
of Things and Big Data - Volume 1: IoTBD,, pages
421–428.
Santanna, J. J., van Rijswijk-Deij, R., Hofstede, R., Sper-
otto, A., Wierbosch, M., Granville, L. Z., and Pras, A.
(2015). Booters—an analysis of ddos-as-a-service at-
tacks. In Integrated Network Management (IM), 2015
IFIP/IEEE International Symposium on, pages 243–
251. IEEE.
Singh, S. and Gyanchandani, M. (2010). Analysis of botnet
behavior using queuing theory. International Journal
IoTBDS 2017 - 2nd International Conference on Internet of Things, Big Data and Security
58
of Computer Science & Communication, 1(2):239–
241.
Sivaraman, V., Chan, D., Earl, D., and Boreli, R. (2016).
Smart-phones attacking smart-homes. In Proceedings
of the 9th ACM Conference on Security & Privacy in
Wireless and Mobile Networks, pages 195–200. ACM.
Sivaraman, V., Gharakheili, H. H., Vishwanath, A., Boreli,
R., and Mehani, O. (2015). Network-level secu-
rity and privacy control for smart-home iot devices.
In Wireless and Mobile Computing, Networking and
Communications (WiMob), 2015 IEEE 11th Interna-
tional Conference on, pages 163–167. IEEE.
Specht, S. M. and Lee, R. B. (2004). Distributed denial
of service: Taxonomies of attacks, tools, and counter-
measures. In ISCA PDCS, pages 543–550.
Stankovic, J. A. (2014). Research directions for the internet
of things. IEEE Internet of Things Journal, 1(1):3–9.
Symantec (2016). Symantec security response: Iot devices
being increasingly used for ddos attacks. Avail-
able at https://www.symantec.com/connect/blogs/iot
-devices-being-increasingly-used-ddos-atta cks
(2016/11/07).
Thierer, A. and Castillo, A. (2015). Projecting the growth
and economic impact of the internet of things. George
Mason University, Mercatus Center, June, 15.
US-CERT (2016). Alert (ta16-288a): Heightened ddos
threat posed by mirai and other botnets. Available
at https://www.us-cert.gov/ncas/alerts/TA16-2 88A
(2016/10/17).
Voas, J. (2016). Networks of ‘things’. NIST Special Publi-
cation, 800:183.
Woolf, N. (2016). Ddos attack that disrupted internet was
largest of its kind in history, experts say. Avail-
able at https://www.theguardian.com/technology/201
6/oct/26/ddos-attack-dyn-mirai-botnet (2016/10/22).
Zeifman, I., Bekerman, D., and Herzberg, B. (2016). Break-
ing down mirai: An iot ddos botnet analysis. Avail-
able at https://www.incapsula.com/blog/malware-ana
lysis-mirai-ddos-botnet.html (2016/11/01).
Zhu, Z., Lu, G., Chen, Y., Fu, Z. J., Roberts, P., and Han, K.
(2008). Botnet research survey. In 2008 32nd Annual
IEEE International Computer Software and Applica-
tions Conference, pages 967–972. IEEE.
IoDDoS â ˘
Aˇ
T The Internet of Distributed Denial of Sevice Attacks - A Case Study of the Mirai Malware and IoT-Based Botnets
59
... A non physical threat which overloads a service or database by sending packets to the target devices through the application layer is known as DDOS attack and sometimes a group of devices worked as botnet to pursue a large server which was attacked in 21st October 2016 by the Domain Name System provider DYN known as Mirai Botnet which affects Github, Twitter [24] [25]. The Mirai malware posses over 500000 devices all over 164 countries [12] Brute Force Attack: An easy method to get access over the device which is password protected and an intruder can access the device by thoroughly inputting the password until it matched the actual password. Because of lack of storage capacity and less ability of sensors to compute the environment can cause this type of attack [13]. ...
Article
Internet of Thing (IoT) is one of the most popular systems these days. This ensures internet connectivity of physical devices and everyday objects. This technology is getting popular day by day due advanced technology and cheap price. However, IoT has some vulnerability issues to deal with. The main hindrance of popularity exploitation of IoT is security. In this paper, the study reflects about the most modern technology, IoT and its security and vulnerabilities where the factors of intrusions in IoT and different types of protocols are explored by studying different papers. In this paper, we have followed the structure of Kitchenham [28] to conduct a systematic literature review. We have performed the SLR by collecting some relevant papers from the well-known databases like IEEE xplore, ACM, Springer, Elsevier, etc. Our main purpose is to analyze the recent research works according to the security issue and come up with a result in order to intend to have future research on security of IoT.
... The number of computers connected to the Internet, along with other devices and networks, continues to increase. The administration, private industry, and regular computer clients are concerned that their information or private data will be put at risk by a criminal hacker because of the new features of the Internet [1]. If an organization is connected to the Internet and holds any type of data, it's almost inevitable that it's going to end up in the sights of hackers. ...
Chapter
There are rising cybersecurity concerns in the telecommunication sector as hackers intensify their sophistication. The techniques employed by hackers are constantly evolving and so are their tools. Data theft is the end goal for numerous attacks, with hackers seeking predominantly personal data, credentials, and credit card information. Telecom companies are a big target for cyber-attacks because they build, control, and operate critical infrastructure that is widely used to communicate and store large amounts of sensitive data. Hackers often compromise telecommunication systems and attempt to steal users’ information, defraud people and also attack telecom services and infrastructures. Cyber criminals often achieve their aim using different strategies, including the exploitation of vulnerabilities in both software and hardware and other possible loopholes. Given that telecom companies control critical infrastructure, the impact of an attack can be very high and far-reaching, this chapter examines the attack strategies and ethical hacking in telecommunication with a view to help the industry to understand, prepare and defend themselves against existing and potential cyber threats and attacks.
... Mirai operates by targeting unsecured IoT devices, especially those with hardcoded user authentication credentials [126], seeking to gain administrative permissions. Once infected the devices will respond to C2 instructions to join DDoS attacks [135]. ...
Thesis
This thesis explores ideas connected with the cybersecurity of, and secure communications for, Internet of Things (IoT) devices; and introduces a number of original elements of research — including the Secure Remote Update Protocol (SRUP), a protocol developed to provide a mechanism for secure Command and Control messages. The work introduces cybersecurity concepts and background, IoT networking protocols and Command and Control messaging, before moving on to describe the original research. The design and concept of SRUP is described in detail, along with a scheme to support the use of dynamic identity in the context of the IoT. Techniques to establish device identity are then described, followed by an examination of the security features of SRUP. An open-source implementation of SRUP is then introduced, alongside a discussion on the way this has been optimized for ease of use by non-specialist developers. A concept to enable the controlled sharing of information and requests between Command and Control networks using SRUP is then described, along with a discussion on how this approach could be adopted to help to address the problem of short-term provision of access to IoT systems by guest users. Finally an experimental assessment of the protocol in simulated real-world conditions is described and measurements of the performance overhead associated with using SRUP, with inexpensive low-power hardware, are discussed and analysed. These results show that the use of the SRUP protocol, in comparison to an insecure implementation, added an additional processing delay of between 42.92ms and 51.60ms to the end-to-end message propagation — depending on the specific hardware in use. The thesis concludes with a summary of the research, and some recommendations for follow-on work.
Article
Full-text available
Not securing smart home devices has proven threatful to cyberspace. This has underscored the importance of using fear appeals to promote users' information security behavior. We practice context-specific theorization to enhance fear appeal theory and design. Particularly, we extend Protection Motivation Theory to include avoidant-focused motivation (i.e., users' intent to avoid using their devices), the positive emotion of hope, and ITself extension. Our hypotheses include that fear engenders both protection and avoidant-focused motivations, hope mediates coping appraisal to engender (reduce) protection (avoidant-focused) motivation, and ITself extension acts as an antecedent. We conduct four studies, including two surveys and two experiments, and validate our extensions. Our main theoretical contributions include showing that hope is critical in determining which coping mechanism occurs and that it improves the theory's predictive power. In terms of practice, we demonstrate that a fear appeal message with a self-extension component and a strong coping component is more effective.
Book
This book highlights the literature and the practical aspects to understand cybersecurity and privacy in various networks and communication devices. It provides details of emerging technologies on various networks by protecting the privacy and security of cyberspace. This book presents state-of-the-art advances in the field of cryptography and network security, cybersecurity and privacy, providing a good reference for professionals and researchers.
Chapter
We are going towards the Industry 4.0, and towards the implementation Internet of Things (IoT) is the thrust area was promising development is being done towards interoperability from small to big nodes or devices. These nodes or devices communicate with their own individual language. This makes Internet of Things (IoT) protocol heterogeneous in nature. This budding technology will only become successful if these devices can able to come under one big umbrella. This means to make IoT ubiquitous there should be a general IoT protocol. Till date IoT protocol stack is not standardized. In this review paper, we are going to discuss on different IoT protocols that are present based on certain common characteristics that we have grouped. This paper will also look into the global interoperability protocol and security issues and implementation of the IoT eco-system.KeywordsInternet of thingsNetwork protocolSecurity
Conference Paper
Full-text available
70% of Internet-connected devices are vulnerable to cyber-threats. Detection of malicious traffic is essential for taking defensive measures. The current state-of-the-art anomaly detection research focuses on using different machine learning methods, rather than taking advantage of high-dimensional datasets to find lurking anomalies. In this paper, we propose an unsupervised self-organizing map assisted deep autoencoder Gaussian mixture model to detect anomalous activities in real time. Our proposed model is based on two key components, self-organizing map (SOM) and deep autoencoder Gaussian mixture model (DAGMM). SOM not only preserves the topology of the input space but its high-quality dimension reduction helps to develop an efficient estimation network. The other phase is DAGMM, which preserves essential information in low dimensional space and predicts samples of high energy as anomalies by a pre-chosen threshold. In this work, we emphasize the real-world applicability of our proposed model. Due to the increasing number of IoT devices, we have a humongous amount of IoT traffic data, which are often curated to train a model. With that goal in mind, we train and evaluate our model on internet traffic data which has a mixture of regular and anomalous communication among IoT devices. It helps us to reduce false positives than the current state-of-the-art models while keeping the scope of improvement via incoming communications.
Chapter
The Internet of Things had made IoT devices for cyber-attacks, and constant rise of concerns about IoT security is necessary as connectivity between different devices and objects is a key challenge. The traditional security approaches are not applicable because of size and computational power. There are many kinds of attacks like denial of service attacks, man in the middle attack, etc. Identification of non-authorized devices in the provision of security is very important to provide identification and authentication of different devices. Authenticating different objects and data is very complicated task especially from compromised devices. This paper presents a brief survey on distributed denial of service attacks.KeywordsIoT securityCyber-attacksMan in the middle attackDistributed denial of service attack
Book
Full-text available
Denial of Service (DoS) attacks are a form of attack that seeks to make a network resource unavailable due to overloading the resource or machine with an overwhelming number of packets, thereby crashing or severely slowing the performance of the resource. Distributed Denial of Service (DDoS) is a large scale DoS attack which is distributed in the Internet. Every computer which has access to the Internet can behave as an attacker. Typically bandwidth depletion can be categorized as either a flood or an amplification attack. Flood attacks can be done by generating ICMP packets or UDP packets in which it can utilize stationary or random variable ports. Smurf and Fraggle attacks are used for amplification attacks. DDoS Smurf attacks are an example of an amplification attack where the attacker sends packets to a network amplifier with the return address spoofed to the victim's IP address. This book presents new research and methodologies along with a proposed algorithm for prevention of DoS attacks that has been written based on cryptographic concepts such as birthday attacks to estimate the rate of attacks generated and passed along the routers. Consequently, attackers would be identified and prohibited from sending spam traffic to the server which can cause DDoS attacks. Due to the prevalence of DoS attacks, there has been a lot of research conducted on how to detect them and prevent them. The authors of this short format title provide their research results on providing an effective solution to DoS attacks, including introduction of the new algorithm that can be implemented in order to deny DoS attacks. A comprehensive study on the basics of network security. Provides a wide revision on client puzzle theory. An experimental model to mitigate distributed denial of service (DDoS) attacks.
Conference Paper
Full-text available
The BlackEnergy malware targeting critical infrastructures has a long history. It evolved over time from a simple DDoS platform to a quite sophisticated plug-in based malware. The plug-in architecture has a persistent malware core with easily installable attack specific modules for DDoS, spamming, info-stealing, remote access, boot-sector formatting etc. BlackEnergy has been involved in several high profile cyber physical attacks including the recent Ukraine power grid attack in December 2015. This paper investigates the evolution of BlackEnergy and its cyber attack capabilities. It presents a basic cyber attack model used by BlackEnergy for targeting industrial control systems. In particular, the paper analyzes cyber threats of BlackEnergy for synchrophasor based systems which are used for real-time control and monitoring functionalities in smart grid. Several BlackEnergy based attack scenarios have been investigated by exploiting the vulnerabilities in two widely used synchrophasor communication standards: (i) IEEE C37.118 and (ii) IEC 61850-90-5. Specifically, the paper addresses reconnaissance, DDoS, man-in-the-middle and replay/reflection attacks on IEEE C37.118 and IEC 61850-90-5. Further, the paper also investigates protection strategies for detection and prevention of BlackEnergy based cyber physical attacks. BlackEnergy, Malware, Cyber Attacks, Synchrophasors, Smart Grid, IEEE C37.118, IEC 61850-90-5.
Conference Paper
Full-text available
In recent years, Supervisory Control and Data Acquisition (SCADA) Industrial Control Systems (ICS) – a kind of systems used for controlling industrial processes, power plants or assembly lines – have become a serious concern because of security and manageability issues. Years of air-gaped isolation, the increased coupling of ICS and Information and Communication Technology (ICT) systems, together with the absence of proper management and security policies, disclosed several weaknesses in SCADA ICS. Suddenly, these systems were faced with a reality that was familiar for ICT infrastructure managers for decades, which has driven the need for the development of specific technologies, as well as the establishment of management frameworks and the adoption of security-oriented policies. Virtualization was one of such developments, whose influence spawns several domains, from networking and communications to mass storage and computing resources. For ICT, the rise of virtualization constituted a paradigm shift, with significant gains in terms of resource consolidation, manageability or even security. These benefits are yet to fully reach the ICS domain, despite recent developments geared towards the introduction of hypervisors or software-defined networking within such systems. This paper provides an overview on the usage of such technologies to improve SCADA ICS security and reliability also proposing advanced use cases.
Conference Paper
Full-text available
A revolutionary development in machine-to-machine communications, the “Internet of Things” (IoT) is often characterized as an evolution of Supervisory Control and Data Acquisition (SCADA) networks. SCADA networks have been used for machine-to-machine communication and controlling automated processes since before the widespread use of the Internet. The adoption of open internet protocols within these systems has created unforeseen security vulnerabilities. In this paper we detail the Cyber-SCADA Evaluation Capability (C-SEC), a US Department of Defense research effort aimed at securing SCADA networks. We also demonstrate how the C-SEC framework could enhance the security posture of the emerging IoT paradigm.
Article
Full-text available
A previous work on Airport Information Resource Management System (AIRMS) established that sophisticated attacks in the form of Denial of Service (DoS), Distributed DoS (DDoS), and related attacks are becoming the most effective schemes used by cyber terrorists on such enterprise systems. Similarly, a novel Smart Green Energy Management Distributed Cloud Computing Network (SGEM-DCCN) was developed as an extension to the work. Interestingly, the DCCN could be shut down by malicious attackers while running its renewable energy management cloud service. Consequently, this work presents a security model designed to improve the security architecture in a mission-critical DCCN running Enterprise Energy Tracking Analytic Cloud Portal (EETACP). As a result of the EETACP DCCN vulnerability to DoS attacks, this work employed a core OpenFlow gateway firewall to pre-empt DDoS attacks and subsequently mitigate such destructive vulnerabilities in the network. In this case, Vulnerability Bandwidth Depletion DDoS Attack (VBDDA) was detected using Cisco Nexus 9000 firewall as an embedded network device with support for Virtual DDoS protection in the DCCN threat mitigation design. Also, security Quality of Service (QoS) profiling was employed to ascertain the network behavior in terms of resource utilization and query response times. For DDoS traffic flows, the network metrics were compared under simulated firewall scenarios involving Cisco Application Policy Infrastructure Controller (Cisco APIC), Cisco Nexus 9000 Series multilayer Switches and Cisco Application Virtual Switch (AVS). It was concluded that with a robust firewall in place, VBDDA will be mitigated in DCCN infrastructure. This offers protection and reliability in the Smart Green Energy Management System architecture
Article
Full-text available
This paper explores how botnets in smart devices are exacerbating identity crime. This paper places the refrigerator at the heart of this discussion of the Internet of things that has become connected through the Internet and thereby susceptible to botnets and the collection of personal identification information as an enabler for identity crime. The paper highlights the fallibility of these devices and provides some mechanism to deal with these new risks and presents discussion on the need to for this relationship to be further explored.
Article
Recent distributed denial-of-service attacks demonstrate the high vulnerability of Internet of Things (IoT) systems and devices. Addressing this challenge will require scalable security solutions optimized for the IoT ecosystem.
Conference Paper
The explosion in Internet-connected household devices, such as light-bulbs, smoke-alarms, power-switches, and webcams, is creating new vectors for attacking "smart-homes" at an unprecedented scale. Common perception is that smart-home IoT devices are protected from Internet attacks by the perimeter security offered by home routers. In this paper we demonstrate how an attacker can infiltrate the home network via a doctored smart-phone app. Unbeknownst to the user, this app scouts for vulnerable IoT devices within the home, reports them to an external entity, and modifies the firewall to allow the external entity to directly attack the IoT device. The ability to infiltrate smart-homes via doctored smart-phone apps demonstrates that home routers are poor protection against Internet attacks and highlights the need for increased security for IoT devices.