Presentation is loading. Please wait.

Presentation is loading. Please wait.

Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet

Published byみずき ひのと Modified over 5 years ago

Similar presentations

Presentation on theme: "Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet"— Presentation transcript:

1 Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet
by Stephen Herwig (UMD), Katura Harvey (MPI), George Hughey (UMD), Richard Roberts (MPI), Dave Levin (UMD) Presented by Himanshu Gandhi (2015ANZ7550)

2 What are botnets, by the way ?

3 What is a Botnet ? Impact:The impact of botnets becomes very evident in light of the havoc caused by the recent attack using Mirai botnet. As per McAfee's Threat Report . Mirai botnet infected 2.5 million devices, adding 5 IP addresses each minute to the botnet. The Mirai botnet target was flooded by 1.2 Tbps of traffic, the highest volume of DDoS traffic ever recorded. Incidentally, Mirai and its variants are offered as Botnet-as-a-Service, with charges ranging from $50 to$700 . Mirai botnet had also been used in earlier attacks in 2016, where the impact ranged from shutting down Internet traffic in Liberia (Lodestar) , bringing down DNS root servers provided by DYN, thereby crippling Internet traffic in entire eastern US, incapacitating French telecom operator OVH in a devastating DDoS attack.

4 Structural Variants

5 So, what is Hajime ?

6 Characteristics of an “uncharacteristic” Botnet
Resilient Smart Continuously Evolving No Attack so far !!!

7 Hmmm, tell me more about Hajime !

8 Important “Problems” for a Botnet Controller?
Find out currently infected machine Infect new machines Which machine ? Deploy current attacks Update attacks ? Attack files ? Hajime uses BitTorrent based Distributed Hash Tables for both questions.

9 Bot Discovery announce hash(F) announce bot(F) announce hash(.i)
Hosting file F announce bot(F) announce hash(.i) lookup hash(F) lookup bot (F) Downloading file F lookup file (.i)

10 Announce Date File Type Architecture Daily (midnight)
.i (implant/ infect) .atk (attack) Architecture MIPS Big Endian MIPS Little Endian ARM v5 ARM v6 ARM v7

11 Lookup Hosting Key Exchange UTP Keys provide long-lived IDs
Downloading

12 Thus: Resilient BitTorrent Based Discovery P2P
Difficult to take down Hajime without bringing down BT !! P2P Difficult to centrally monitor and control

13 More about Measurement and Analysis

14 Measurement Botnet Size Code RE List all peers exhaustively
Every 16 minutes for 4 months - 5.4M IP addresses - 10.5M keys Datasets available at Botnet Size List all peers exhaustively Used unique keys to get botnet size Why not IP NAT undercounts IP reassignments and multi-homed devices => overcount Code RE 47 modules – 34 .atk, 13 .i

15 Hajime Size

16 Hajime Geo-Distribution
MaxMind IP Geolocation DB used

17 Hajime Architectural Distribution
Based on .atk files usage Censys Database (IP-uTP key used for device fingerprinting)

18 Hajime Architectural + Geography Distribution

19 Hajime Architectural + Geography Distribution

20 Hajime Architectural + Geography Distribution

21 Hajime – Impact of new Vulnerabilities

22 Hajime – Speed of Updates

23 Attacks and DNS Backscatter

24 Vulnerable Device Attack (CWMP)

25 Non-Vulnerable Device Attack

26 Contribution

27 What’s New ? Novel way of measuring and analyzing botnet
Insights about botnets’ ability to evolve Honeypots need to be architecture specific

28 What’s more in the paper ?
More details on the botnet internals Insights about device fingerprinting and bot lifetime CWMP DNS backscatter based geographical distribution

29 Thank You :)

Download ppt "Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet"

Similar presentations

New Threat Based Chinese P2P Network

New Threat Based Chinese P2P Network
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
BotTorrent: Misusing BitTorrent to Launch DDoS Attacks Karim El Defrawy, Minas Gjoka, Athina Markopoulou UC Irvine.

BotTorrent: Misusing BitTorrent to Launch DDoS Attacks Karim El Defrawy, Minas Gjoka, Athina Markopoulou UC Irvine.
Copyright 2012 Trend Micro Inc. Raimund Genes, CTO Innovation In Cloud Security.

Copyright 2012 Trend Micro Inc. Raimund Genes, CTO Innovation In Cloud Security.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
1 One-Click Hosting Services: A File-Sharing Hideout Demetris Antoniades Evangelos P. Markatos ICS-FORTH Heraklion,

1 One-Click Hosting Services: A File-Sharing Hideout Demetris Antoniades Evangelos P. Markatos ICS-FORTH Heraklion,
Understanding the Network-Level Behavior of Spammers Best Student Paper, ACM Sigcomm 2006 Anirudh Ramachandran and Nick Feamster Ye Wang (sando)

Understanding the Network-Level Behavior of Spammers Best Student Paper, ACM Sigcomm 2006 Anirudh Ramachandran and Nick Feamster Ye Wang (sando)
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
11 November 2001 Marina del Rey GAC meeting Vulnerabilities in the Internet Jaap Akkerhuis.

11 November 2001 Marina del Rey GAC meeting Vulnerabilities in the Internet Jaap Akkerhuis.
Presentation to France Telecom Ashwin Navin Co-Founder, Chief Operating Officer bittorrent.com.

Presentation to France Telecom Ashwin Navin Co-Founder, Chief Operating Officer bittorrent.com.
1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.

1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.
Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.

Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.
Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.

Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.
Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
Experience Sharing in Mobile Peer Communities EPI Planete, INRIA International Consortium Meeting (Oulou) 10 June, 2009.

Experience Sharing in Mobile Peer Communities EPI Planete, INRIA International Consortium Meeting (Oulou) 10 June, 2009.

Similar presentations

Ads by Google