several studies investigating vulnerable amplifiers [20, 51,
79]. As DDoS attacks and infrastructure are becoming
more commonplace, attention has turned to exploring the
DDoS for hire ecosystem [40].
Since the emergence of IoT devices, security re-
searchers have warned of their many inherent security
flaws [80]. Researchers have found that IoT devices con-
tain vulnerabilities from the firmware level [18, 19] up
to the application level [26, 29, 73, 78]. Mirai is also
not the first of its kind to target IoT devices — several
precursors to Mirai exist, all of which exploit the weak
password nature of these devices [38, 52, 59, 62, 72]. As a
result of these widespread security failures, the security
community has been quick to design systems to secure
these kinds of devices. In one example, Fernandes et al.
proposed Flowfence, which enables data flow protection
for emerging IoT frameworks [27]. Much more work
is needed if we are to understand and secure this new
frontier.
In this work, we utilize a multitude of well-established
botnet measurement perspectives, which substantiate con-
cerns about IoT security. We demonstrate the damage
that an IoT botnet can inflict upon the public Internet,
eclipsing the DDoS capabilities of prior botnets. We use
previously introduced solutions as guidelines for our own
proposals for combating the Mirai botnet, and IoT botnets
at large.
9
Conclusion
The Mirai botnet, composed primarily of embedded and
IoT devices, took the Internet by storm in late 2016 when
it overwhelmed several high-profile targets with some of
the largest distributed denial-of-service (DDoS) attacks
on record. In this work, we provided a comprehensive
analysis of Mirai’s emergence and evolution, the devices
it targeted and infected, and the attacks it executed. We
find that while IoT devices present many unique security
challenges, Mirai’s emergence was primarily based on
the absence of security best practices in the IoT space,
which resulted in a fragile environment ripe for abuse. As
the IoT domain continues to expand and evolve, we hope
Mirai serves as a call to arms for industrial, academic, and
government stakeholders concerned about the security,
privacy, and safety of an IoT-enabled world.
Acknowledgments
The authors thank David Adrian, Brian Krebs, Vern Pax-
son, and the Censys Team for their help and feedback.
This work was supported in part by the National Sci-
ence Foundation under contracts CNS-1345254, CNS-
1409505, CNS-1518888, CNS-1505790, CNS-1530915,
CNS-1518741 and through gifts from Intel and Google.
The work was additionally supported by the U.S. Depart-
ment of Commerce grant 2106DEK, Air Force Research
Laboratory/Defense Advanced Research Projects Agency
grant 2106DTX, the Department of Homeland Security
Science and Technology Directorate FA8750-12-2-0314,
and a Google Ph.D. Fellowship. Any opinions, findings,
conclusions, or recommendations expressed in this mate-
rial are those of the authors and do not necessarily reflect
the views of their employers or the sponsors.
References
[1] Team Cymru. http://www.team-cymru.org/.
[2] M. Abu Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multi-
faceted approach to understanding the botnet phenomenon. In 6th
ACM Internet Measurement Conference
, 2006.
[3] Akamai. Q4 2016 state of the Internet - connectivity report. https://
www.akamai.com/us/en/multimedia/documents/state-of-the-
internet/q4-2016-state-of-the-internet-connectivity-report.pdf.
[4] Anna-senpai. [FREE] world’s largest net:Mirai botnet, client,
echo loader, CNC source code release. https://hackforums.net/
showthread.php?tid=5420472.
[5] M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster.
Building a dynamic reputation system for DNS. In 19th USENIX
Security Symposium
, 2010.
[6] M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-
Nimeh, W. Lee, and D. Dagon. From throw-away traffic to bots:
Detecting the rise of DGA-based malware. In 21st USENIX Secu-
rity Symposium
, 2012.
[7] Arbor Networks.
Worldwide infrastructure security re-
port.
https://www.arbornetworks.com/images/documents/
WISR2016_EN_Web.pdf.
[8] H. Asghari, M. Ciere, and M. J. G. Van Eeten. Post-mortem of
a zombie: Conficker cleanup after six years. In 24th USENIX
Security Symposium
, 2015.
[9] M. Bailey, E. Cooke, F. Jahanian, and J. Nazario. The Internet
Motion Sensor - A Distributed Blackhole Monitoring System. In
12th Network and Distributed Systems Security Symposium
, 2005.
[10] M. Bailey, E. Cooke, F. Jahanian, and D. Watson. The Blaster
worm: Then and now. IEEE Security & Privacy, 2005.
[11] M. Bailey, E. Cooke, F. Jahanian, Y. Xu, and M. Karir. A survey
of botnet technology and defenses. In Cybersecurity Applications
& Technology Conference For Homeland Security
, 2009.
[12] P. Barford and V. Yegneswaran. An Inside Look at Botnets. 2007.
[13] BBC. Router hacker suspect arrested at Luton airport. http://
www.bbc.com/news/technology-37510502.
[14] K. Beaumont. "Shadows Kill"– — Mirai DDoS botnet testing
large scale attacks, sending threatening messages about UK and
attacking researchers. https://medium.com/@networksecurity/
shadows-kill-mirai-ddos-botnet-testing-large-scale-attacks-
sending-threatening-messages-about-6a61553d1c7.
[15] J. Blackford and M. Digdon.
TR-069 issue 1 amendment
5.
https://www.broadband-forum.org/technical/download/TR-
069_Amendment-5.pdf.
[16] CAIDA: Center for Applied Internet Data Analysis. AS ranking.
http://as-rank.caida.org/?mode0=as-ranking&n=100&ranksort=
3, 2017.
1108 26th USENIX Security Symposium
USENIX Association
[17] E. Cooke, F. Jahanian, and D. McPherson. The zombie roundup:
Understanding, detecting, and disrupting botnets. In 1st USENIX
Steps to Reducing Unwanted Traffic on the Internet Workshop
,
2005.
[18] A. Costin, J. Zaddach, A. Francillon, and D. Balzarotti. A large-
scale analysis of the security of embedded firmwares. In 23rd
USENIX Security Symposium
, 2014.
[19] A. Costin, A. Zarras, and A. Francillon. Automated dynamic
firmware analysis at scale: A case study on embedded web inter-
faces. In 11th ACM Asia Conference on Computer and Communi-
cations Security
, 2016.
[20] J. Czyz, M. Kallitsis, M. Gharaibeh, C. Papadopoulos, M. Bailey,
and M. Karir. Taming the 800 pound gorilla: The rise and de-
cline of NTP DDoS attacks. In 14th ACM Internet Measurement
Conference
, 2014.
[21] Deutsche Telekom.
Telekom-hilt.
https://www.facebook.
com/telekomhilft/photos/a.143615195685585.27512.
122768271103611/1199966633383764/?type=&theater.
[22] Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and J. A. Halder-
man. A search engine backed by Internet-wide scanning. In 22nd
ACM Conference on Computer and Communications Security
,
2015.
[23] Z. Durumeric, M. Bailey, and J. A. Halderman. An Internet-
wide view of Internet-wide scanning. In 23rd USENIX Security
Symposium
, 2014.
[24] Z. Durumeric, J. Kasten, D. Adrian, J. A. Halderman, M. Bailey,
F. Li, N. Weaver, J. Amann, J. Beekman, M. Payer, et al. The mat-
ter of Heartbleed. In 14th ACM Internet Measurement Conference,
2014.
[25] EvoSec. New IoT malware? anime/kami. https://evosec.eu/
new-iot-malware/.
[26] E. Fernandes, J. Jung, and A. Prakash. Security analysis of emerg-
ing smart home applications. In 37th IEEE Symposium on Security
and Privacy
, 2016.
[27] E. Fernandes, J. Paupore, A. Rahmati, D. Simionato, M. Conti,
and A. Prakash. Flowfence: Practical data protection for emerging
IoT application frameworks. In 25th USENIX Security Symposium,
2016.
[28] M. Finifter, D. Akhawe, and D. Wagner. An empirical study
of vulnerability rewards programs. In 22nd USENIX Security
Symposium
, 2013.
[29] L. Franceschi-Bicchierai.
Hackers makes the first-ever ran-
somware for smart thermostats. https://motherboard.vice.com/
en_us/article/internet-of-things-ransomware-smart-thermostat.
[30] A. Froehlich.
8 IoT operating systems powering the
future.
http://www.informationweek.com/iot/8-iot-operating-
systems-powering-the-future/d/d-id/1324464.
[31] Gamepedia Minecraft Wiki. Tutorials/setting up a server. http://
minecraft.gamepedia.com/Tutorials/Setting_up_a_server.
[32] G. Gu, R. Perdisci, J. Zhang, and W. Lee. BotMiner: Clustering
analysis of network traffic for protocol-and structure-independent
botnet detection. In 17th USENIX Security Symposium, 2008.
[33] G. Gu, J. Zhang, and W. Lee. Botsniffer: Detecting botnet com-
mand and control channels in network traffic. In 15th Network
and Distributed System Security Symposium
, 2008.
[34] B. Herzberg, D. Bekerman, and I. Zeifman. Breaking down mirai:
An IoT DDoS botnet analysis. https://www.incapsula.com/blog/
malware-analysis-mirai-ddos-botnet.html.
[35] K. J. Higgins. Srizbi botnet sending over 60 billion spams a
day. http://www.darkreading.com/risk/srizbi-botnet-sending-over-
60-billion-spams-a-day/d/d-id/1129480.
[36] S. Hilton.
Dyn analysis summary of Friday October 21 at-
tack.
http://hub.dyn.com/dyn-blog/dyn-analysis-summary-of-
friday-october-21-attack.
[37] T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling. Mea-
surements and mitigation of peer-to-peer-based botnets: A case
study on Storm worm. In 1st USENIX Workshop on Large-Scale
Exploits and Emergent Threats
, 2008.
[38] Internet Census 2012. Port scanning/0 using insecure embedded
devices. http://internetcensus2012.bitbucket.org/paper.html.
[39] M. Karami and D. McCoy. Understanding the emerging threat
of DDoS-as-a-service. In 6th USENIX Workshop on Large-Scale
Exploits and Emergent Threats
, 2013.
[40] M. Karami, Y. Park, and D. McCoy. Stress testing the booters:
Understanding and undermining the business of DDoS services.
In 25th International Conference on World Wide Web, 2016.
[41] kenzo2017.
Eir’s d1000 modem is wide open to being
hacked. https://devicereversing.wordpress.com/2016/11/07/eirs-
d1000-modem-is-wide-open-to-being-hacked/.
[42] S. Khandelwal. Someone is using mirai botnet to shut down
internet for an entire country. http://thehackernews.com/2016/11/
ddos-attack-mirai-botnet.html.
[43] O. Klaba. Octave klaba Twitter. https://twitter.com/olesovhcom/
status/778830571677978624.
[44] A. Kountouras, P. Kintis, C. Lever, Y. Chen, Y. Nadji, D. Dagon,
M. Antonakakis, and R. Joffe. Enabling network security through
active DNS datasets. In 19th International Research in Attacks,
Intrusions, and Defenses Symposium
, 2016.
[45] B. Krebs.
Did the Mirai botnet really take Liberia of-
fline? https://krebsonsecurity.com/2016/11/did-the-mirai-botnet-
really-take-liberia-offline/.
[46] B.
Krebs.
Krebsonsecurity
hit
with
record
DDoS.
https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-
with-record-ddos/.
[47] B. Krebs.
New Mirai worm knocks 900k Germans of-
fline.
https://krebsonsecurity.com/2016/11/new-mirai-worm-
knocks-900k-germans-offline/.
[48] B. Krebs.
Spreading the DDoS disease and selling the
cure. https://krebsonsecurity.com/2016/10/spreading-the-ddos-
disease-and-selling-the-cure/.
[49] B. Krebs.
Who is Anna-Senpai, the Mirai worm au-
thor? https://krebsonsecurity.com/2017/01/who-is-anna-senpai-
the-mirai-worm-author/.
[50] B. Krebs.
Who makes the IoT things under attack?
https://krebsonsecurity.com/2016/10/who-makes-the-iot-
things-under-attack/.
[51] M. Kührer, T. Hupperich, C. Rossow, and T. Holz. Exit from
hell? reducing the impact of amplification DDoS attacks. In 23rd
USENIX Security Symposium
, 2014.
[52] Level 3. Attack of things! http://www.netformation.com/level-3-
pov/attack-of-things-2.
[53] Level 3. How the grinch stole IoT. http://www.netformation.com/
level-3-pov/how-the-grinch-stole-iot.
[54] C. Lever, P. Kotzias, D. Balzarotti, J. Caballero, and M. Anton-
akakis. A Lustrum of malware network communication: Evolution
and insights. In 38th IEEE Symposium on Security and Privacy,
2017.
[55] C. Lever, R. Walls, Y. Nadji, D. Dagon, P. McDaniel, and M. An-
tonakakis. Domain-Z: 28 registrations later. In 37th IEEE Sympo-
sium on Security and Privacy
, 2016.
USENIX Association
26th USENIX Security Symposium 1109
[56] F. Li, Z. Durumeric, J. Czyz, M. Karami, M. Bailey, D. McCoy,
S. Savage, and V. Paxson. You’ve got vulnerability: Exploring
effective vulnerability notifications. In 25th USENIX Security
Symposium
, 2016.
[57] F. Li, G. Ho, E. Kuan, Y. Niu, L. Ballard, K. Thomas, E. Bursztein,
and V. Paxson. Remedying web hijacking: Notification effec-
tiveness and webmaster comprehension. In 25th International
Conference on World Wide Web
, 2016.
[58] G. Lyon. Nmap network scanning. https://nmap.org/book/vscan-
fileformat.html.
[59] M. Malik and M.-E. M. Léveillé.
Meet Remaiten–a Linux
bot on steroids targeting routers and potentially other
IoT
devices.
http://www.welivesecurity.com/2016/03/30/
meet-remaiten-a-linux-bot-on-steroids-targeting-routers-and-
potentially-other-iot-devices/.
[60] MalwareTech.
Mapping Mirai:
A botnet case study.
https://www.malwaretech.com/2016/10/mapping-mirai-a-
botnet-case-study.html.
[61] Maxmind, LLC. Geoip2. https://www.maxmind.com/en/geoip2-
city.
[62] X. Mertens.
Analyze of a Linux botnet client source
code.
https://isc.sans.edu/forums/diary/Analyze+of+a+Linux+
botnet+client+source+code/21305.
[63] Microsoft.
Support for Windows XP ended.
https://www.
microsoft.com/en-us/WindowsForBusiness/end-of-xp-support.
[64] M. Mimoso.
IoT botnets are the new normal of DDoS at-
tacks. https://threatpost.com/iot-botnets-are-the-new-normal-of-
ddos-attacks/121093/.
[65] Minecraft Modern Wiki. Protocol handshaking. http://wiki.vg/
Protocol#Handshaking.
[66] J. Mirkovic, S. Dietrich, D. Dittrich, and P. Reiher. Internet De-
nial of Service: Attack and Defense Mechanisms (Radia Perlman
Computer Networking and Security)
. Prentice Hall PTR, 2004.
[67] J. Mirkovic and P. Reiher. A taxonomy of DDoS attack and DDoS
defense mechanisms. SIGCOMM Computer Communications
Review
.
[68] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and
N. Weaver. Inside the Slammer worm. IEEE Security & Privacy,
2003.
[69] D. Moore, C. Shannon, D. J. Brown, G. M. Voelker, and S. Savage.
Inferring internet denial-of-service activity. ACM Transactions on
Computer Systems (TOCS)
, 2006.
[70] D. Moore, C. Shannon, and K. Claffy. Code-Red: A case study on
the spread and victims of an Internet worm. In 2nd ACM Internet
Measurment Workshop
, 2002.
[71] S. Moss.
Major DDoS attack on Dyn disrupts AWS, Twit-
ter, Spotify and more.
http://www.datacenterdynamics.com/
content-tracks/security-risk/major-ddos-attack-on-dyn-disrupts-
aws-twitter-spotify-and-more/97176.fullarticle.
[72] P. Muncaster. Massive Qbot botnet strikes 500,000 machines
through WordPress.
https://www.infosecurity-magazine.com/
news/massive-qbot-strikes-500000-pcs/.
[73] C. O’Flynn. A lightbulb worm? a teardown of the philips hue.
Blackhat Security Conference.
[74] OVH.
The DDoS that didn’t break the camel’s VAC*.
https://www.ovh.com/us/news/articles/a2367.the-ddos-that-
didnt-break-the-camels-vac.
[75] D. Pauli.
Netgear unveils world’s easiest bug bounty.
http://www.theregister.co.uk/2017/01/06/netgear_unveils_
worlds_easiest_bug_bounty/.
[76] P. Porras, H. Saïdi, and V. Yegneswaran. A foray into Conficker’s
logic and rendezvous points. In 2nd USENIX Conference on Large-
scale Exploits and Emergent Threats: Botnets, Spyware, Worms,
and More
, 2009.
[77] M. Prince. The DDoS that almost broke the internet. https://
blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/.
[78] E. Ronen, C. O’Flynn, A. Shamir, and A.-O. Weingarten. IoT
goes nuclear: Creating a ZigBee chain reaction.
[79] C. Rossow. Amplification hell: Revisiting network protocols for
DDoS abuse. In 21st Network and Distributed System Security
Symposium
, 2014.
[80] B. Schneier. The Internet of Things is wildly insecure–and often
unpatchable. https://www.schneier.com/essays/archives/2014/01/
the_internet_of_thin.html.
[81] C. Shannon and D. Moore. The spread of the Witty worm. IEEE
Security & Privacy
, 2004.
[82] S. Shin and G. Gu. Conficker and Beyond: A Large-scale Em-
pirical Study. In 26th Annual Computer Security Applications
Conference
, 2010.
[83] S. S. C. Silva, R. M. P. Silva, R. C. G. Pinto, and R. M. Salles.
Botnets: A survey. 2013.
[84] P. Sinha, A. Boukhtouta, V. H. Belarde, and M. Debbabi. Insights
from the analysis of the Mariposa botnet. In 5th Conference on
Risks and Security of Internet and Systems
, 2010.
[85] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski,
R. Kemmerer, C. Kruegel, and G. Vigna. Your botnet is my
botnet: analysis of a botnet takeover. In 16th ACM conference on
Computer and Communications Security
, 2009.
[86] A. Tellez.
Bashlite.
https://github.com/anthonygtellez/
BASHLITE.
[87] K. Thomas, R. Amira, A. Ben-Yoash, O. Folger, A. Hardon,
A. Berger, E. Bursztein, and M. Bailey. The abuse sharing econ-
omy: Understanding the limits of threat exchanges. In 19th Sym-
posium on Research in Attacks, Intrusions and Defenses
, 2016.
[88] K. Thomas, D. Y. Huang, D. Wang, E. Bursztein, C. Grier, T. J.
Holt, C. Kruegel, D. McCoy, S. Savage, and G. Vigna. Framing
dependencies introduced by underground commoditization. In
14th Workshop on the Economics of Information Security
, 2015.
[89] @unixfreaxjp. Mmd-0056-2016 - Linux/Mirai, how an old ELF
malcode is recycled. http://blog.malwaremustdie.org/2016/08/
mmd-0056-2016-linuxmirai-just.html.
[90] VirusTotal. Virustotal - free online virus, malware, and url scanner.
https://virustotal.com/en.
[91] D. Wang, S. Savage, and G. M. Voelker. Juice: A longitudinal
study of an SEO campaign. In 20th Network and Distributed
Systems Security Symposium
, 2013.
[92] N. Wells. Busybox: A swiss army knife for linux.
[93] WikiDevi. Eltel et-5300. https://wikidevi.com/wiki/Eltel_ET-
5300#Stimulating_port_5555_.28from_Internet.29.
[94] E. Wustrow, M. Karir, M. Bailey, F. Jahanian, and G. Houston.
Internet Background Radiation Revisited. In 10th ACM Internet
Measurement Conference
, 2010.
[95] E. Wustrow, M. Karir, M. Bailey, F. Jahanian, and G. Huston.
Internet background radiation revisited. In 10th ACM Internet
Measurement Conference
, 2010.
[96] J. Wyke. The ZeroAccess botnet: Mining and fraud for massive
financial gain. Sophos Technical Paper, 2012.
[97] A. Zand, G. Vigna, X. Yan, and C. Kruegel. Extracting probable
command and control signatures for detecting botnets. In 29th
ACM Symposium on Applied Computing
, 2014.
1110 26th USENIX Security Symposium
USENIX Association
Document Outline - Introduction
- The Mirai Botnet
- Methodology
- Tracking Mirai's Spread
- Ownership and Evolution
- Mirai's DDoS Attacks
- Discussion
- Related Work
- Conclusion
Dostları ilə paylaş: |