Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by Shashank Shekhar Sahoo

Published byΕφθαλία Ζυγομαλάς Modified over 5 years ago

Similar presentations

Presentation on theme: "Presented by Shashank Shekhar Sahoo"— Presentation transcript:

1 Presented by Shashank Shekhar Sahoo
Cleaning Up the Internet of Evil Things: Real-World Evidence on ISP and Consumer Efforts to Remove Mirai Presented by Shashank Shekhar Sahoo

2 Introduction

3 Background Knowledge Botnet - A network of internet connected devices, where each device is running one or more bots. - Can be used for sending spam s, keylogging activities, and even performing Distributed Denial of Service attacks. Mirai - First surfaced in 2016, it is an IoT malware that infects smart devices. - Allows the attacker to control the devices remotely and launch DDoS attacks which can go upto 620 Gbps, or even more.

4 Background Knowledge Recent rise in IoT devices and consequently, IoT Botnets attacks. Majority of the world’s population have little or no information on malwares. Millions of IoT devices are being compromised. Low security of the devices.

5 Motivation How to remediate the population of vulnerable and compromised IoT devices effectively? To understand the impact of notifications on the remediation process.

6 Problem Problem: There is no clear and simple remediation path.
There are three underlying problems: There is no public information to identify the owner. There is no established channel to reach the owner. Even if they are reachable, then how to provide them with an actionable notification.

7 Solution

8 Experiment Where do these Mirai infected devices reside? - 87% of Mirai infected devices IoT devices reside in broadband ISP consumer networks. - Less than 1% reside in other types of networks such as education, hosting or governmental networks. Since majority of the devices lie inside the broadband ISP networks, the ISPs can play a major role in the remediation of the IoT botnets.

9 Experiment Divided the experiment into two stages:

10 Notification Methods Walled Garden Notification - Infected users are kept in Quarantine. - Redirected to a landing page whenever user browses the web. - Landing page contains instructions on how to clean the device. - Difficult to ignore. An is sent as well. Two versions: 1. Standard Walled Garden Notification (Observational Study) 2. Improved Walled Garden Notification (Randomized Control Study)

11 Notification Methods Control Group - No notifications were sent.
Notification - Commonly used by ISPs. - Cheap and easy to scale. - Major drawbacks: - No assurance that the user has read it or not A different might be associated with the ISP might be classified as spam.

12 Identifying and Tracking Infections
Identifying Infected Machines - Shadowserver Abuse feeds Tracking Infected Machines - Darknet - IoT Honeypot Device Information - NMAP Scanner - Censys Scan

13 Results Impact of Notification Mechanism - Control group had the lowest cleanup rate of 74%. - only had a cleanup rate of 77%. - Improved Walled Garden remediated about 92%. Impact of Notification Content - Improved Walled Garden had a higher clean up rate (92%) as compared to Standard Walled Garden (88%). - Improved Walled Garden had a shorter median infection time as well.

14 Results Natural Remediation - High remediation rate (74%) even though they were not notified. - Surprising! - Decided to observe remediation rates of: - Two other networks (Business and Subsidiary). - Four random ISPs in the country. - Observed high natural remediation rates as well! - Along with high remediation rate, there was low reinfection rate (5%) as well.

15 Results Impact of Device Type - Censys and NMAP were used to identify the type of devices. - Couldn’t identify all the devices. Only 28% of them were identified. - Analyzed banner information and identified: - Routers - Cameras - Storage Units - DVRs - Set Top Box

16 Results Impact of Device Type - Routers cleaned up faster than cameras and DVRs.

17 User Experience Themes of User Experience in Communication with ISP - Improved Walled Garden - Significantly reduced the number of calls. - Less requests for technician. - Less complaints.

18 Criticism

19 Criticism Their research was based on a specific malware, i.e. Mirai. - Non persistent in nature. - There are persistent malwares as well. - Drawback: - Different types of malwares may have different effect on remediation rates. - Possible Solution: - Conduct a study with a mix of persistent and non-persistent malwares.

20 Criticism No explanation for low reinfection rates in the Control Group. - Mere rebooting of device doesn’t protect against reinfection. - Mirai has an aggressive scanning behaviour. - Devices still vulnerable to Mirai when once they are back online. - Drawback: - Didn’t conduct phone interviews with those customers. - Possible Solution: - Should have conducted interviews with them as well and find the underlying reason for low reinfection rate.

21 Criticism Results based on a very small sample of customers in one country. - Considered only 220 customers for their experiment. - Drawback: - On a larger scale, such as customers from multiple countries, the results may vary drastically. - Possible Solution: - Could consider a larger sample of customers belonging to different countries.

22 Criticism Results in Improved Walled Garden may be biased. - Customers may have already heard about this in the news or in the internet articles. - Helped them to clean it. - Drawback: - Studies conducted in two different time periods. - Possible Solution: - Conduct the studies in the same time period to avoid this.

23 Thank you!

Download ppt "Presented by Shashank Shekhar Sahoo"

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
High Speed Internet Access At Home Broadband Technologies Security Concerns Hardware/Software Solutions William Kramp 4/12/2001.

High Speed Internet Access At Home Broadband Technologies Security Concerns Hardware/Software Solutions William Kramp 4/12/2001.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.

1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,

Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,
Computer Safety Workshop Presented by Roy Coleman April 14, 2015 © 2015 Roy Coleman.

Computer Safety Workshop Presented by Roy Coleman April 14, 2015 © 2015 Roy Coleman.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Final Introduction ---- Web Security, DDoS, others

Final Introduction ---- Web Security, DDoS, others
CIS 450 – Network Security Chapter 3 – Information Gathering.

CIS 450 – Network Security Chapter 3 – Information Gathering.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP.

Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP.

Similar presentations

Ads by Google