Advertisement

A Secure Contained Testbed for Analyzing IoT Botnets

  • Ayush KumarEmail author
  • Teng Joon Lim
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 270)

Abstract

Many security issues have come to the fore with the increasingly widespread adoption of Internet-of-Things (IoT) devices. The Mirai attack on Dyn DNS service, in which vulnerable IoT devices such as IP cameras, DVRs and routers were infected and used to propagate large-scale DDoS attacks, is one of the more prominent recent examples. IoT botnets, consisting of hundreds-of-thousands of bots, are currently present “in-the-wild” at least and are only expected to grow in the future, with the potential to cause significant network downtimes and financial losses to network companies. We propose, therefore, to build testbeds for evaluating IoT botnets and design suitable mitigation techniques against them. A DETERlab-based IoT botnet testbed is presented in this work. The testbed is built in a secure contained environment and includes ancillary services such as DHCP, DNS as well as botnet infrastructure including CnC and scanListen/loading servers. Developing an IoT botnet testbed presented us with some unique challenges which are different from those encountered in non-IoT botnet testbeds and we highlight them in this paper. Further, we point out the important features of our testbed and illustrate some of its capabilities through experimental results.

Keywords

Internet of Things IoT Malware Mirai Botnet Testbed 

Notes

Acknowledgment

The authors would like to appreciate the National Cybersecurity R&D Lab, Singapore for allowing us to use their testbed to collect important data which has been used in our work. This research is supported by the National Research Foundation, Prime Minister’s Office, Singapore under its Corporate Laboratory@University Scheme, National University of Singapore, and Singapore Telecommunications Ltd.

References

  1. 1.
    Al-Fuqaha, A., Guizani, M., Mohammadi, M., Aledhari, M., Ayyash, M.: Internet of Things: a survey on enabling technologies, protocols, and applications. IEEE Commun. Surv. Tutor. 17(4), 2347–2376 (2015)CrossRefGoogle Scholar
  2. 2.
    Nordrum, A.: Popular Internet of Things forecast of 50 billion devices by 2020 is outdated. https://spectrum.ieee.org/tech-talk/telecom/internet/popular-internet-of-things-forecast-of-50-billion-devices-by-2020-is-outdated
  3. 3.
    Yang, Y., Wu, L., Yin, G., Li, L., Zhao, H.: A survey on security and privacy issues in Internet-of-Things. IEEE Internet Things J. 4(5), 1250–1258 (2017)CrossRefGoogle Scholar
  4. 4.
    Lin, J., Yu, W., Zhang, N., Yang, X., Zhang, H., Zhao, W.: A survey on Internet of Things: architecture, enabling technologies, security and privacy, and applications. IEEE Internet Things J. 4(5), 1125–1142 (2017)CrossRefGoogle Scholar
  5. 5.
    Frustaci, M., Pace, P., Aloi, G., Fortino, G.: Evaluating critical security issues of the IoT world: present and future challenges. IEEE Internet Things J. 5(4), 2483–2495 (2018)CrossRefGoogle Scholar
  6. 6.
    Krebs, B.: Hacked cameras, DVRs powered today’s massive internet outage, October 2016. https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
  7. 7.
    Cimpanu, C.: There’s a 120,000-strong IoT DDoS botnet lurking around. http://news.softpedia.com/news/there-s-a-120-000-strong-iot-ddos-botnet-lurking-around-507773.shtml
  8. 8.
    Constantin, L.: Your Linux-based home router could succumb to a new Telnet worm, Remaiten. https://www.computerworld.com/article/3049982/security/your-linux-based-home-router-could-succumb-to-a-new-telnet-worm-remaiten.html
  9. 9.
    Grange, W.: Hajime worm battles Mirai for control of the Internet of Things. https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things
  10. 10.
    Arghire, I.: IoT botnet used in website hacking attacks. https://www.securityweek.com/iot-botnet-used-website-hacking-attacks
  11. 11.
  12. 12.
  13. 13.
    Calvet, J., et al.: The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet. In: Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC 2010, New York, pp. 141–150 (2010)Google Scholar
  14. 14.
    NCL: National Cybersecurity R&D Lab. https://ncl.sg/
  15. 15.
    DeterLab: Cyber-defense technology experimental research laboratory. https://www.isi.deterlab.net/index.php3
  16. 16.
    Barford, P., Blodgett, M.: Toward botnet Mesocosms. In: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, HotBots 2007, Berkeley, p. 6. USENIX Association (2007)Google Scholar
  17. 17.
    Jackson, A.W., Lapsley, D., Jones, C., Zatko, M., Golubitsky, C., Strayer, W.T.: SLINGbot: a system for live investigation of next generation botnets. In: Cybersecurity Applications Technology Conference for Homeland Security, pp. 313–318, March 2009Google Scholar
  18. 18.
    Vanderveen, K.B., et al.: Large-scale botnet analysis on a budget (2011)Google Scholar
  19. 19.
    Kreibich, C., Weaver, N., Kanich, C., Cui, W., Paxson, V.: GQ: practical containment for measuring modern malware systems. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, IMC 2011, New York, pp. 397–412. ACM (2011)Google Scholar
  20. 20.
    ElSheikh, M.H., Gadelrab, M.S., Ghoneim, M.A., Rashwan, M.: Botgen: a new approach for in-lab generation of botnet datasets. In: 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE), pp. 76–84, October 2014Google Scholar
  21. 21.
    Alomari, E., Manickam, S., Gupta, B.B., Singh, P., Anbar, M.: Design, deployment and use of HTTP-based botnet (HBB) testbed. In: 16th International Conference on Advanced Communication Technology, pp. 1265–1269, February 2014Google Scholar
  22. 22.
    Ahmad, M.A., Woodhead, S., Gan, D.: The V-network testbed for malware analysis. In: International Conference on Advanced Communication Control and Computing Technologies (ICACCCT), pp. 629–635, May 2016Google Scholar
  23. 23.
    Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: DDoS in the IoT: Mirai and other botnets. Computer 50(7), 80–84 (2017)CrossRefGoogle Scholar
  24. 24.
    MySQL: The world’s most popular open source database. https://www.mysql.com/
  25. 25.
    Winward, R.: Mirai: inside of an IoT Botnet, February 2017. https://www.nanog.org/sites/default/files/1_Winward_Mirai_The_Rise.pdf
  26. 26.
    Bellard, F.: QEMU, a fast and portable dynamic translator. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC 2005, Berkeley, p. 41. USENIX Association (2005). https://www.qemu.org/

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2019

Authors and Affiliations

  1. 1.Department of Electrical and Computer EngineeringNational University of SingaporeSingaporeSingapore

Personalised recommendations