This paper is included in the Proceedings of the 26th usenix security Symposium August 16–18, 2017 • Vancouver, bc, Canada
Yüklə 382,3 Kb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Document Outline
several studies investigating vulnerable amplifiers [20, 51, 79]. As DDoS attacks and infrastructure are becoming more commonplace, attention has turned to exploring the DDoS for hire ecosystem [40]. Since the emergence of IoT devices, security re- searchers have warned of their many inherent security flaws [80]. Researchers have found that IoT devices con- tain vulnerabilities from the firmware level [18, 19] up to the application level [26, 29, 73, 78]. Mirai is also not the first of its kind to target IoT devices — several precursors to Mirai exist, all of which exploit the weak password nature of these devices [38, 52, 59, 62, 72]. As a result of these widespread security failures, the security community has been quick to design systems to secure these kinds of devices. In one example, Fernandes et al. proposed Flowfence, which enables data flow protection for emerging IoT frameworks [27]. Much more work is needed if we are to understand and secure this new frontier. In this work, we utilize a multitude of well-established botnet measurement perspectives, which substantiate con- cerns about IoT security. We demonstrate the damage that an IoT botnet can inflict upon the public Internet, eclipsing the DDoS capabilities of prior botnets. We use previously introduced solutions as guidelines for our own proposals for combating the Mirai botnet, and IoT botnets at large. 9 Conclusion The Mirai botnet, composed primarily of embedded and IoT devices, took the Internet by storm in late 2016 when it overwhelmed several high-profile targets with some of the largest distributed denial-of-service (DDoS) attacks on record. In this work, we provided a comprehensive analysis of Mirai’s emergence and evolution, the devices it targeted and infected, and the attacks it executed. We find that while IoT devices present many unique security challenges, Mirai’s emergence was primarily based on the absence of security best practices in the IoT space, which resulted in a fragile environment ripe for abuse. As the IoT domain continues to expand and evolve, we hope Mirai serves as a call to arms for industrial, academic, and government stakeholders concerned about the security, privacy, and safety of an IoT-enabled world. Acknowledgments The authors thank David Adrian, Brian Krebs, Vern Pax- son, and the Censys Team for their help and feedback. This work was supported in part by the National Sci- ence Foundation under contracts CNS-1345254, CNS- 1409505, CNS-1518888, CNS-1505790, CNS-1530915, CNS-1518741 and through gifts from Intel and Google. The work was additionally supported by the U.S. Depart- ment of Commerce grant 2106DEK, Air Force Research Laboratory/Defense Advanced Research Projects Agency grant 2106DTX, the Department of Homeland Security Science and Technology Directorate FA8750-12-2-0314, and a Google Ph.D. Fellowship. Any opinions, findings, conclusions, or recommendations expressed in this mate- rial are those of the authors and do not necessarily reflect the views of their employers or the sponsors. References [1] Team Cymru. http://www.team-cymru.org/. [2] M. Abu Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multi- faceted approach to understanding the botnet phenomenon. In 6th ACM Internet Measurement Conference , 2006. [3] Akamai. Q4 2016 state of the Internet - connectivity report. https:// www.akamai.com/us/en/multimedia/documents/state-of-the- internet/q4-2016-state-of-the-internet-connectivity-report.pdf. [4] Anna-senpai. [FREE] world’s largest net:Mirai botnet, client, echo loader, CNC source code release. https://hackforums.net/ showthread.php?tid=5420472. [5] M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster. Building a dynamic reputation system for DNS. In 19th USENIX Security Symposium , 2010. [6] M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu- Nimeh, W. Lee, and D. Dagon. From throw-away traffic to bots: Detecting the rise of DGA-based malware. In 21st USENIX Secu- rity Symposium , 2012.
[7] Arbor Networks. Worldwide infrastructure security re- port. https://www.arbornetworks.com/images/documents/ WISR2016_EN_Web.pdf. [8] H. Asghari, M. Ciere, and M. J. G. Van Eeten. Post-mortem of a zombie: Conficker cleanup after six years. In 24th USENIX Security Symposium , 2015. [9] M. Bailey, E. Cooke, F. Jahanian, and J. Nazario. The Internet Motion Sensor - A Distributed Blackhole Monitoring System. In 12th Network and Distributed Systems Security Symposium , 2005. [10] M. Bailey, E. Cooke, F. Jahanian, and D. Watson. The Blaster worm: Then and now. IEEE Security & Privacy, 2005. [11] M. Bailey, E. Cooke, F. Jahanian, Y. Xu, and M. Karir. A survey of botnet technology and defenses. In Cybersecurity Applications & Technology Conference For Homeland Security , 2009. [12] P. Barford and V. Yegneswaran. An Inside Look at Botnets. 2007. [13] BBC. Router hacker suspect arrested at Luton airport. http:// www.bbc.com/news/technology-37510502. [14] K. Beaumont. "Shadows Kill"– — Mirai DDoS botnet testing large scale attacks, sending threatening messages about UK and attacking researchers. https://medium.com/@networksecurity/ shadows-kill-mirai-ddos-botnet-testing-large-scale-attacks- sending-threatening-messages-about-6a61553d1c7. [15] J. Blackford and M. Digdon. TR-069 issue 1 amendment 5. https://www.broadband-forum.org/technical/download/TR- 069_Amendment-5.pdf. [16] CAIDA: Center for Applied Internet Data Analysis. AS ranking. http://as-rank.caida.org/?mode0=as-ranking&n=100&ranksort= 3, 2017.
1108 26th USENIX Security Symposium USENIX Association [17] E. Cooke, F. Jahanian, and D. McPherson. The zombie roundup: Understanding, detecting, and disrupting botnets. In 1st USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop , 2005. [18] A. Costin, J. Zaddach, A. Francillon, and D. Balzarotti. A large- scale analysis of the security of embedded firmwares. In 23rd USENIX Security Symposium , 2014.
[19] A. Costin, A. Zarras, and A. Francillon. Automated dynamic firmware analysis at scale: A case study on embedded web inter- faces. In 11th ACM Asia Conference on Computer and Communi- cations Security , 2016. [20] J. Czyz, M. Kallitsis, M. Gharaibeh, C. Papadopoulos, M. Bailey, and M. Karir. Taming the 800 pound gorilla: The rise and de- cline of NTP DDoS attacks. In 14th ACM Internet Measurement Conference , 2014.
[21] Deutsche Telekom. Telekom-hilt. https://www.facebook. com/telekomhilft/photos/a.143615195685585.27512. 122768271103611/1199966633383764/?type=&theater. [22] Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and J. A. Halder- man. A search engine backed by Internet-wide scanning. In 22nd ACM Conference on Computer and Communications Security , 2015.
[23] Z. Durumeric, M. Bailey, and J. A. Halderman. An Internet- wide view of Internet-wide scanning. In 23rd USENIX Security Symposium , 2014.
[24] Z. Durumeric, J. Kasten, D. Adrian, J. A. Halderman, M. Bailey, F. Li, N. Weaver, J. Amann, J. Beekman, M. Payer, et al. The mat- ter of Heartbleed. In 14th ACM Internet Measurement Conference, 2014.
[25] EvoSec. New IoT malware? anime/kami. https://evosec.eu/ new-iot-malware/. [26] E. Fernandes, J. Jung, and A. Prakash. Security analysis of emerg- ing smart home applications. In 37th IEEE Symposium on Security and Privacy , 2016.
[27] E. Fernandes, J. Paupore, A. Rahmati, D. Simionato, M. Conti, and A. Prakash. Flowfence: Practical data protection for emerging IoT application frameworks. In 25th USENIX Security Symposium, 2016.
[28] M. Finifter, D. Akhawe, and D. Wagner. An empirical study of vulnerability rewards programs. In 22nd USENIX Security Symposium , 2013.
[29] L. Franceschi-Bicchierai. Hackers makes the first-ever ran- somware for smart thermostats. https://motherboard.vice.com/ en_us/article/internet-of-things-ransomware-smart-thermostat. [30] A. Froehlich. 8 IoT operating systems powering the future. http://www.informationweek.com/iot/8-iot-operating- systems-powering-the-future/d/d-id/1324464. [31] Gamepedia Minecraft Wiki. Tutorials/setting up a server. http:// minecraft.gamepedia.com/Tutorials/Setting_up_a_server. [32] G. Gu, R. Perdisci, J. Zhang, and W. Lee. BotMiner: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. In 17th USENIX Security Symposium, 2008. [33] G. Gu, J. Zhang, and W. Lee. Botsniffer: Detecting botnet com- mand and control channels in network traffic. In 15th Network and Distributed System Security Symposium , 2008.
[34] B. Herzberg, D. Bekerman, and I. Zeifman. Breaking down mirai: An IoT DDoS botnet analysis. https://www.incapsula.com/blog/ malware-analysis-mirai-ddos-botnet.html. [35] K. J. Higgins. Srizbi botnet sending over 60 billion spams a day. http://www.darkreading.com/risk/srizbi-botnet-sending-over- 60-billion-spams-a-day/d/d-id/1129480. [36] S. Hilton. Dyn analysis summary of Friday October 21 at- tack. http://hub.dyn.com/dyn-blog/dyn-analysis-summary-of- friday-october-21-attack. [37] T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling. Mea- surements and mitigation of peer-to-peer-based botnets: A case study on Storm worm. In 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats , 2008.
[38] Internet Census 2012. Port scanning/0 using insecure embedded devices. http://internetcensus2012.bitbucket.org/paper.html. [39] M. Karami and D. McCoy. Understanding the emerging threat of DDoS-as-a-service. In 6th USENIX Workshop on Large-Scale Exploits and Emergent Threats , 2013.
[40] M. Karami, Y. Park, and D. McCoy. Stress testing the booters: Understanding and undermining the business of DDoS services. In 25th International Conference on World Wide Web, 2016. [41] kenzo2017. Eir’s d1000 modem is wide open to being hacked. https://devicereversing.wordpress.com/2016/11/07/eirs- d1000-modem-is-wide-open-to-being-hacked/. [42] S. Khandelwal. Someone is using mirai botnet to shut down internet for an entire country. http://thehackernews.com/2016/11/ ddos-attack-mirai-botnet.html. [43] O. Klaba. Octave klaba Twitter. https://twitter.com/olesovhcom/ status/778830571677978624. [44] A. Kountouras, P. Kintis, C. Lever, Y. Chen, Y. Nadji, D. Dagon, M. Antonakakis, and R. Joffe. Enabling network security through active DNS datasets. In 19th International Research in Attacks, Intrusions, and Defenses Symposium , 2016. [45] B. Krebs. Did the Mirai botnet really take Liberia of- fline? https://krebsonsecurity.com/2016/11/did-the-mirai-botnet- really-take-liberia-offline/. [46] B.
Krebs. Krebsonsecurity hit with
record DDoS.
https://krebsonsecurity.com/2016/09/krebsonsecurity-hit- with-record-ddos/. [47] B. Krebs. New Mirai worm knocks 900k Germans of- fline. https://krebsonsecurity.com/2016/11/new-mirai-worm- knocks-900k-germans-offline/. [48] B. Krebs. Spreading the DDoS disease and selling the cure. https://krebsonsecurity.com/2016/10/spreading-the-ddos- disease-and-selling-the-cure/. [49] B. Krebs. Who is Anna-Senpai, the Mirai worm au- thor? https://krebsonsecurity.com/2017/01/who-is-anna-senpai- the-mirai-worm-author/. [50] B. Krebs. Who makes the IoT things under attack? https://krebsonsecurity.com/2016/10/who-makes-the-iot- things-under-attack/. [51] M. Kührer, T. Hupperich, C. Rossow, and T. Holz. Exit from hell? reducing the impact of amplification DDoS attacks. In 23rd USENIX Security Symposium , 2014. [52] Level 3. Attack of things! http://www.netformation.com/level-3- pov/attack-of-things-2. [53] Level 3. How the grinch stole IoT. http://www.netformation.com/ level-3-pov/how-the-grinch-stole-iot. [54] C. Lever, P. Kotzias, D. Balzarotti, J. Caballero, and M. Anton- akakis. A Lustrum of malware network communication: Evolution and insights. In 38th IEEE Symposium on Security and Privacy, 2017. [55] C. Lever, R. Walls, Y. Nadji, D. Dagon, P. McDaniel, and M. An- tonakakis. Domain-Z: 28 registrations later. In 37th IEEE Sympo- sium on Security and Privacy , 2016. USENIX Association 26th USENIX Security Symposium 1109 [56] F. Li, Z. Durumeric, J. Czyz, M. Karami, M. Bailey, D. McCoy, S. Savage, and V. Paxson. You’ve got vulnerability: Exploring effective vulnerability notifications. In 25th USENIX Security Symposium , 2016. [57] F. Li, G. Ho, E. Kuan, Y. Niu, L. Ballard, K. Thomas, E. Bursztein, and V. Paxson. Remedying web hijacking: Notification effec- tiveness and webmaster comprehension. In 25th International Conference on World Wide Web , 2016.
[58] G. Lyon. Nmap network scanning. https://nmap.org/book/vscan- fileformat.html. [59] M. Malik and M.-E. M. Léveillé. Meet Remaiten–a Linux bot on steroids targeting routers and potentially other IoT
devices. http://www.welivesecurity.com/2016/03/30/ meet-remaiten-a-linux-bot-on-steroids-targeting-routers-and- potentially-other-iot-devices/. [60] MalwareTech. Mapping Mirai: A botnet case study. https://www.malwaretech.com/2016/10/mapping-mirai-a- botnet-case-study.html. [61] Maxmind, LLC. Geoip2. https://www.maxmind.com/en/geoip2- city. [62] X. Mertens. Analyze of a Linux botnet client source code.
https://isc.sans.edu/forums/diary/Analyze+of+a+Linux+ botnet+client+source+code/21305. [63] Microsoft. Support for Windows XP ended. https://www. microsoft.com/en-us/WindowsForBusiness/end-of-xp-support. [64] M. Mimoso. IoT botnets are the new normal of DDoS at- tacks. https://threatpost.com/iot-botnets-are-the-new-normal-of- ddos-attacks/121093/. [65] Minecraft Modern Wiki. Protocol handshaking. http://wiki.vg/ Protocol#Handshaking. [66] J. Mirkovic, S. Dietrich, D. Dittrich, and P. Reiher. Internet De- nial of Service: Attack and Defense Mechanisms (Radia Perlman Computer Networking and Security) . Prentice Hall PTR, 2004. [67] J. Mirkovic and P. Reiher. A taxonomy of DDoS attack and DDoS defense mechanisms. SIGCOMM Computer Communications Review .
N. Weaver. Inside the Slammer worm. IEEE Security & Privacy, 2003.
[69] D. Moore, C. Shannon, D. J. Brown, G. M. Voelker, and S. Savage. Inferring internet denial-of-service activity. ACM Transactions on Computer Systems (TOCS) , 2006.
[70] D. Moore, C. Shannon, and K. Claffy. Code-Red: A case study on the spread and victims of an Internet worm. In 2nd ACM Internet Measurment Workshop , 2002.
[71] S. Moss. Major DDoS attack on Dyn disrupts AWS, Twit- ter, Spotify and more. http://www.datacenterdynamics.com/ content-tracks/security-risk/major-ddos-attack-on-dyn-disrupts- aws-twitter-spotify-and-more/97176.fullarticle. [72] P. Muncaster. Massive Qbot botnet strikes 500,000 machines through WordPress. https://www.infosecurity-magazine.com/ news/massive-qbot-strikes-500000-pcs/. [73] C. O’Flynn. A lightbulb worm? a teardown of the philips hue. Blackhat Security Conference. [74] OVH. The DDoS that didn’t break the camel’s VAC*. https://www.ovh.com/us/news/articles/a2367.the-ddos-that- didnt-break-the-camels-vac. [75] D. Pauli. Netgear unveils world’s easiest bug bounty. http://www.theregister.co.uk/2017/01/06/netgear_unveils_ worlds_easiest_bug_bounty/. [76] P. Porras, H. Saïdi, and V. Yegneswaran. A foray into Conficker’s logic and rendezvous points. In 2nd USENIX Conference on Large- scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More
, 2009. [77] M. Prince. The DDoS that almost broke the internet. https:// blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/. [78] E. Ronen, C. O’Flynn, A. Shamir, and A.-O. Weingarten. IoT goes nuclear: Creating a ZigBee chain reaction. [79] C. Rossow. Amplification hell: Revisiting network protocols for DDoS abuse. In 21st Network and Distributed System Security Symposium , 2014. [80] B. Schneier. The Internet of Things is wildly insecure–and often unpatchable. https://www.schneier.com/essays/archives/2014/01/ the_internet_of_thin.html. [81] C. Shannon and D. Moore. The spread of the Witty worm. IEEE Security & Privacy , 2004. [82] S. Shin and G. Gu. Conficker and Beyond: A Large-scale Em- pirical Study. In 26th Annual Computer Security Applications Conference , 2010. [83] S. S. C. Silva, R. M. P. Silva, R. C. G. Pinto, and R. M. Salles. Botnets: A survey. 2013. [84] P. Sinha, A. Boukhtouta, V. H. Belarde, and M. Debbabi. Insights from the analysis of the Mariposa botnet. In 5th Conference on Risks and Security of Internet and Systems , 2010. [85] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your botnet is my botnet: analysis of a botnet takeover. In 16th ACM conference on Computer and Communications Security , 2009.
[86] A. Tellez. Bashlite. https://github.com/anthonygtellez/ BASHLITE. [87] K. Thomas, R. Amira, A. Ben-Yoash, O. Folger, A. Hardon, A. Berger, E. Bursztein, and M. Bailey. The abuse sharing econ- omy: Understanding the limits of threat exchanges. In 19th Sym- posium on Research in Attacks, Intrusions and Defenses , 2016. [88] K. Thomas, D. Y. Huang, D. Wang, E. Bursztein, C. Grier, T. J. Holt, C. Kruegel, D. McCoy, S. Savage, and G. Vigna. Framing dependencies introduced by underground commoditization. In 14th Workshop on the Economics of Information Security , 2015.
[89] @unixfreaxjp. Mmd-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled. http://blog.malwaremustdie.org/2016/08/ mmd-0056-2016-linuxmirai-just.html. [90] VirusTotal. Virustotal - free online virus, malware, and url scanner. https://virustotal.com/en. [91] D. Wang, S. Savage, and G. M. Voelker. Juice: A longitudinal study of an SEO campaign. In 20th Network and Distributed Systems Security Symposium , 2013. [92] N. Wells. Busybox: A swiss army knife for linux. [93] WikiDevi. Eltel et-5300. https://wikidevi.com/wiki/Eltel_ET- 5300#Stimulating_port_5555_.28from_Internet.29. [94] E. Wustrow, M. Karir, M. Bailey, F. Jahanian, and G. Houston. Internet Background Radiation Revisited. In 10th ACM Internet Measurement Conference , 2010.
[95] E. Wustrow, M. Karir, M. Bailey, F. Jahanian, and G. Huston. Internet background radiation revisited. In 10th ACM Internet Measurement Conference , 2010.
[96] J. Wyke. The ZeroAccess botnet: Mining and fraud for massive financial gain. Sophos Technical Paper, 2012. [97] A. Zand, G. Vigna, X. Yan, and C. Kruegel. Extracting probable command and control signatures for detecting botnets. In 29th ACM Symposium on Applied Computing , 2014.
1110 26th USENIX Security Symposium USENIX Association Document Outline
Yüklə 382,3 Kb. Dostları ilə paylaş:
|