Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2018 (2018), Article ID 7178164, 30 pages
https://doi.org/10.1155/2018/7178164
Review Article

DDoS-Capable IoT Malwares: Comparative Analysis and Mirai Investigation

1DTU Compute, Technical University of Denmark, Kongens Lyngby, Denmark
2Centre for Applied Autonomous Sensor Systems (AASS), Örebro University, Örebro, Sweden
3Computer Science Department, Sapienza University of Rome, Rome, Italy

Correspondence should be addressed to Nicola Dragoni; kd.utd@ardn

Received 21 July 2017; Accepted 22 November 2017; Published 18 February 2018

Academic Editor: Michele Bugliesi

Copyright © 2018 Michele De Donno et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Linked References

  1. E. Bertino, K.-K. R. Choo, D. Georgakopolous, and S. Nepal, “Internet of things (IoT): smart and secure service delivery,” ACM Transactions on Internet Technology (TOIT), vol. 16, no. 4, article 22, 2016. View at Publisher · View at Google Scholar · View at Scopus
  2. J. Granjal, E. Monteiro, and J. Sa Silva, “Security for the internet of things: a survey of existing protocols and open research issues,” IEEE Communications Surveys & Tutorials, vol. 17, no. 3, pp. 1294–1312, 2015. View at Publisher · View at Google Scholar
  3. O. Arias, J. Wurm, K. Hoang, and Y. Jin, “Privacy and security in internet of things and wearable devices,” IEEE Transactions on Multi-Scale Computing Systems, vol. 1, no. 2, pp. 99–109, 2015. View at Publisher · View at Google Scholar · View at Scopus
  4. N. Dragoni, A. Giaretta, and M. Mazzara, “The internet of hackable things,” in Proceedings of the 5th International Conference in Software Engineering for Defense Applications (SEDA16), P. Ciancarini, S. Litvinov, A. Messina, A. Sillitti, and G. Succi, Eds., Advances in Intelligent Systems and Computing, Springer, Berlin, Germany, 2017. View at Google Scholar
  5. D. Hughes, “Silent risk: new incarnations of longstanding threats,” Network Security, vol. 2016, no. 8, pp. 17–20, 2016. View at Publisher · View at Google Scholar · View at Scopus
  6. S. K. Shukla, “Editorial: cyber security, IoT, block chains—risks and opportunities,” ACM Transactions on Embedded Computing Systems (TECS), vol. 16, no. 3, article 62, pp. 1-2, 2017. View at Publisher · View at Google Scholar
  7. R. Goyal, N. Dragoni, and A. Spognardi, “Mind the tracker you wear: a security analysis of wearable health trackers,” in Proceedings of the 31st Annual ACM Symposium on Applied Computing (SAC '16), pp. 131–136, Pisa, Italy, April 2016. View at Publisher · View at Google Scholar · View at Scopus
  8. N. Hoque, D. K. Bhattacharyya, and J. K. Kalita, “Botnet in DDoS attacks: trends and challenges,” IEEE Communications Surveys & Tutorials, vol. 17, no. 4, pp. 2242–2270, 2015. View at Publisher · View at Google Scholar · View at Scopus
  9. T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of network-based defense mechanisms countering the DoS and DDoS problems,” ACM Computing Surveys, vol. 39, no. 1, article 3, 2007. View at Publisher · View at Google Scholar · View at Scopus
  10. E. Bertino and N. Islam, “Botnets and internet of things security,” IEEE Computer, vol. 50, no. 2, pp. 76–79, 2017. View at Publisher · View at Google Scholar · View at Scopus
  11. C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, “DDoS in the IoT: mirai and other botnets,” IEEE Computer, vol. 50, no. 7, pp. 80–84, 2017. View at Publisher · View at Google Scholar
  12. K. York, Dyn statement on 10/21/2016 DDoS attack, Dyn Blog, 2016, http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/.
  13. S. Hilton, Dyn analysis summary of friday october 21 attack, Dyn Blog, 2016, http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/.
  14. A. Asosheh and N. Ramezani, “A comprehensive taxonomy of DDoS attacks and defense mechanism applying in a smart classification,” WSEAS Transactions on Computers, vol. 7, no. 4, pp. 281–290, 2008. View at Google Scholar · View at Scopus
  15. M. De Donno, N. Dragoni, A. Giaretta, and A. Spognardi, “Analysis of DDoS-capable IoT malwares,” in Proceedings of the 1st International Conference on Security, Privacy, and Trust (INSERT '17), M. Ganzha, L. Maciaszek, and M. Paprzycki, Eds., vol. 11, pp. 807–816, Prague, Czech Republic, September 2017. View at Publisher · View at Google Scholar
  16. S. M. Specht and R. B. Lee, “Distributed denial of service: taxonomies of attacks, tools, and countermeasures,” in Proceedings of the 17th International Conference on Parallel and Distributed Computing Systems (ISCA PDCS '04), pp. 543–550, San Francisco, Calif, USA, September 2004.
  17. J. Mirkovic and P. Reiher, “A taxonomy of ddos attack and ddos defense mechanisms,” Computer Communication Review, vol. 34, no. 2, pp. 39–53, 2004. View at Publisher · View at Google Scholar
  18. B. B. Gupta, R. C. Joshi, and M. Misra, “Defending against distributed denial of service attacks: issues and challenges,” Information Security Journal: A Global Perspective, vol. 18, no. 5, pp. 224–247, 2009. View at Publisher · View at Google Scholar
  19. C. Douligeris and A. Mitrokotsa, “DDoS attacks and defense mechanisms: classification and state-of-the-art,” Computer Networks, vol. 44, no. 5, pp. 643–666, 2004. View at Publisher · View at Google Scholar · View at Scopus
  20. U. Tariq, M. Hong, and K.-S. Lhee, “A comprehensive categorization of DDoS attack and DDoS defense techniques,” in Advanced Data Mining and Applications, vol. 4093 of Lecture Notes in Computer Science, pp. 1025–1036, Springer, Berlin, Germany, 2006. View at Publisher · View at Google Scholar
  21. A. Hussain, J. Heidemann, and C. Papadopoulos, “A framework for classifying denial of service attacks,” in Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM '03), pp. 99–110, Karlsruhe, Germany, August 2003. View at Publisher · View at Google Scholar
  22. E. Alomari, S. Manickam, B. B. Gupta, S. Karuppayah, and R. Alfaris, “Botnet-based distributed denial of service (DDoS) attacks on web servers: classification and art,” International Journal of Computer Applications, vol. 49, no. 7, pp. 24–32, 2012. View at Publisher · View at Google Scholar
  23. S. Specht and R. Lee, “Taxonomies of Distributed Denial of Service networks, attacks, tools and countermeasures,” CE-L2003-03, Princeton University, Princeton, NJ, USA, 2003. View at Google Scholar
  24. RioRey Inc, Taxonomy of DDoS Attacks, 2014, https://www.servermania.com/gallery/resources/RioRey_Taxonomy_DDoS_Attacks_2.6_2014.pdf.
  25. K. Kumar, R. C. Joshi, and K. Singh, “An integrated approach for defending against distributed denial-of-service (DDoS) attacks,” in IRISS-2006, pp. 1–6, 2006. View at Google Scholar
  26. G. Singn and M. Gupta, “Distributed denial-of-service,” in Proceedings of the 3rd International Conference on Recent Trends in Engineering, Science and Management (ICRTESM '16), pp. 1131–1139, Bundi, Rajasthan, April 2016.
  27. N. Dragoni, F. Massacci, and A. Saidane, “A self-protecting and self-healing framework for negotiating services and trust in autonomic communication systems,” Computer Networks, vol. 53, no. 10, pp. 1628–1648, 2009. View at Publisher · View at Google Scholar · View at Scopus
  28. A. Chen, A. Sriraman, T. Vaidya et al., “Dispersing asymmetric DDoS attacks with SplitStack,” in Proceedings of the 15th ACM Workshop on Hot Topics in Networks (HotNets '16), pp. 197–203, Atlanta, Ga, USA, November 2016. View at Publisher · View at Google Scholar · View at Scopus
  29. V. Paxson, “An analysis of using reflectors for distributed denial-of-service attacks,” ACM SIGCOMM Computer Communication Review, vol. 31, no. 3, pp. 38–47, 2001. View at Publisher · View at Google Scholar · View at Scopus
  30. S. Gibson, DRDoS: Description and Analysis of A Potent, Increasingly Prevalent, and Worrisome Internet Attack, Gibson Research Corporation, Dayton, Ohio, United States, 2002.
  31. M. Ballano, “Is there an Internet-of-Things vigilante out there?” Symantec Blog, 2015, https://www.symantec.com/connect/blogs/there-internet-things-vigilante-out-there.
  32. W. Grange, “Hajime worm battles Mirai for control of the Internet of Things,” Symantec Blog, 2017, https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things.
  33. R. K. C. Chang, “Defending against flooding-based distributed denial-of-service attacks: a tutorial,” IEEE Communications Magazine, vol. 40, no. 10, pp. 42–51, 2002. View at Publisher · View at Google Scholar · View at Scopus
  34. S. T. Zargar, J. Joshi, and D. Tipper, “A survey of defense mechanisms against distributed denial of service (DDOS) flooding attacks,” IEEE Communications Surveys & Tutorials, vol. 15, no. 4, pp. 2046–2069, 2013. View at Publisher · View at Google Scholar · View at Scopus
  35. C. Rossow, “Amplification hell: revisiting network protocols for ddos abuse,” in Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, February 2014. View at Publisher · View at Google Scholar
  36. S. Ranjan, R. Swaminathan, M. Uysal, and E. Knightly, “DDoS-resilient scheduling to counter application layer attacks under imperfect detection,” in Proceedings of the 25th IEEE International Conference on Computer Communications ( INFOCOM '06), pp. 1–13, Barcelona, Spain, April 2006. View at Publisher · View at Google Scholar
  37. A. Networks, “The growing threat of application-Layer DDoS attacks,” Tech. Rep., Arbor Networks, Burlington, Mass, USA, 2011. View at Google Scholar
  38. K. J. Houle and G. M. Weaver, “Trends in denial of service attack technology,” Tech. Rep., CERT Coordination Center, Pittsburgh, Pa, USA, 2001. View at Google Scholar
  39. X. Luo and R. K. C. Chang, “On a new class of pulsing denial-of-service attacks and the defense,” in Proceedings of the 12th Annual Network and Distributed System Security Symposium, San Diego, Calif, USA, February 2005.
  40. P. Ferguson and D. Senie, “Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing,” RFC 2827, IETF, Fremont, Calif, USA, 2000. View at Publisher · View at Google Scholar
  41. K. Park and H. Lee, “On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets,” in Proceedings of the 2001 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM '01), pp. 15–26, San Diego, Calif, USA, August 2001. View at Publisher · View at Google Scholar
  42. J. Li, J. Mirkovic, M. Wang, M. Reiher, and L. Zhang, “SAVE: source address validity enforcement protocol,” in Proceedings of the Proceednig of the 21st IEEE Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM '02), pp. 1557–1566, New York, NY, USA, June 2002. View at Publisher · View at Google Scholar · View at Scopus
  43. CERT, “TCP SYN flooding and IP spoofing attacks,” CA-1996-21, CERT Advisory, 2000. View at Publisher · View at Google Scholar
  44. CERT, “Smurf IP denial-of-service attacks,” CA-1998-01, CERT Advisory, 2000. View at Google Scholar
  45. H. Ballani and P. Francis, “Mitigating DNS DoS attacks,” in Proceedings of the 15th ACM conference on Computer and Communications Security (CCS '08), pp. 189–198, Alexandria, Va, USA, October 2008. View at Publisher · View at Google Scholar · View at Scopus
  46. J. Choi, C. Choi, B. Ko, and P. Kim, “A method of DDoS attack detection using HTTP packet pattern and rule engine in cloud computing environment,” Soft Computing, vol. 18, no. 9, pp. 1697–1703, 2014. View at Publisher · View at Google Scholar · View at Scopus
  47. M. Anagnostopoulos, G. Kambourakis, P. Kopanos, G. Louloudakis, and S. Gritzalis, “DNS amplification attack revisited,” Computers & Security, vol. 39, pp. 475–485, 2013. View at Publisher · View at Google Scholar · View at Scopus
  48. M. Janus, “Heads of the hydra. Malware for network devices,” Tech. Rep., Securelist, 2011. View at Google Scholar
  49. Hydra IRC bot, the 25 minute overview of the kit, Insecurety Research, 2012, http://insecurety.net/?p=90.
  50. McAfee, Linux/DDoS-Kaiten, mmcafee.com, 2002, https://www.mcafee.com/threat-intelligence/malware/default.aspx?id=99733.
  51. S. Khandelwal, Warning - Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System, The Hacker News, 2016, http://thehackernews.com/2016/02/linux-mint-hack.html.
  52. lightaidra 0x2012 (aidra), Vierko.org, 2013, https://vierko.org/tech/lightaidra-0x2012/.
  53. Akamai, “Spike DDoS toolkit,” Tech. Rep. 1078, Akamai, Cambridge, Mass, USA, 2014. View at Google Scholar
  54. M. J. Bohio, “Analyzing a backdoor/bot for the MIPS platform,” Tech. Rep., SANS Institute, 2015. View at Google Scholar
  55. MMD-0052-2016 - Overview of “SkidDDoS” ELF++ IRC Botnet, MalwareMustDie! Blog, 2016, http://blog.malwaremustdie.org/2016/02/mmd-0052-2016-skidddos-elf-distribution.html.
  56. Linux/AES.DDoS: Router Malware Warning—Reversing an ARM arch ELF, MalwareMustDie! Blog, 2014, http://blog.malwaremustdie.org/2014/09/reversing-arm-architecture-elf-elknot.html.
  57. Symantec Security Response, ShellShock: All you need to know about the Bash Bug vulnerability, Symantec Blog, 2014, https://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability.
  58. Linux/XOR.DDoS: Fuzzy reversing a new China ELF, MalwareMustDie! Blog, 2014, http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html.
  59. Akamai, “Case study: FastDNS infrastructure battles Xor botnet,” Tech. Rep., Akamai Technologies, Cambridge, Mass, USA, 2015. View at Google Scholar
  60. Linux/luabot - iot botnet as service, MalwareMustDie! Blog, 2016, http://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html.
  61. NSFOCUS DDoS Defense Research Lab and Threat Response Center (TRC), “2016 q3 report on ddos situation and trends,” Tech. Rep., NSFOCUS, Inc., 2016. View at Google Scholar
  62. M. Malik and M.-E. M. Léveillé, “Meet Remaiten—a Linux bot on steroids targeting routers and potentially other IoT devices,” Tech. Rep., WeLiveSecurity, 2016. View at Google Scholar
  63. MMD-0059-2016 - Linux/IRCTelnet (new Aidra) - A DDoS botnet aims IoT w/ IPv6 ready, MalwareMustDie! Blog, 2016, http://blog.malwaremustdie.org/2016/10/mmd-0059-2016-linuxirctelnet-new-ddos.html.
  64. K. Angrishi, Turning Internet of Things (IoT) into Internet of Vulnerabilities (IoV): IoT Botnets, 2017, https://arxiv.org/abs/1702.03681.
  65. O. Klaba, “OVH suffers 1.1 Tbps DDoS attack,” Tech. Rep., SC Magazine, UK, 2016. View at Google Scholar
  66. R. Millman, KrebsOnSecurity hit with record DDoS, KrebsonSecurity Blog, 2016, https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/.
  67. S. Mansfield-Devine, “DDoS goes mainstream: how headline-grabbing attacks could make this threat an organisation's biggest nightmare,” Network Security, vol. 2016, no. 11, pp. 7–13, 2016. View at Publisher · View at Google Scholar · View at Scopus
  68. R. Millman, “Who is Anna-Senpai, the Mirai worm author?” KrebsonSecurity Blog, 2017, https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/.
  69. Anna-Senpai, Mirai Source Code on GitHub, 2016, https://github.com/jgamblin/Mirai-Source-Code.
  70. J. A. Jerkins, “Motivating a market or regulatory solution to IoT insecurity with the Mirai botnet code,” in Proceedings of the 7th IEEE Annual Computing and Communication Workshop and Conference (CCWC '17), Las Vegas, Nev, USA, January 2017. View at Publisher · View at Google Scholar · View at Scopus
  71. BadCyber, New Mirai attack vector: bot exploits a recently discovered router vulnerability, BadCyber, 2016, https://badcyber.com/new-mirai-attack-vector-bot-exploits-a-recently-discovered-router-vulnerability/.
  72. S. Khandelwal, New windows trojan spread Mirai malware to hack more IoT devices, The Hacker News, 2017, http://thehackernews.com/2017/02/mirai-iot-botnet-windows.html.
  73. A. Tellez, “Analyzing the Mirai botnet with Splunk,” Splunk Blog, 2016, https://www.splunk.com/blog/2016/10/07/analyzing-the-mirai-botnet-with-splunk/.
  74. S. Ben-Shimol, Le's discuss facts: An insight into Mirai's source-code, Radware Blog, 2016, https://blog.radware.com/security/2016/11/insight-into-mirais-source-code/.
  75. M. De Donno, N. Dragoni, A. Giaretta, and M. Mazzara, “AntibIoTic: protecting IoT devices against DDoS attacks,” in Proceedings of the 5th International Conference in Software Engineering for Defense Applications (SEDA16), P. Ciancarini, S. Litvinov, A. Messina, A. Sillitti, and G. Succi, Eds., Advances in Intelligent Systems and Computing, Springer, Berlin, Germany, 2017. View at Google Scholar