DDoS Attack on DNS using infected IoT Devices

1. SANE(Security Analysis aNd Evaluation) Lab. Ki-Taek LEE*, Seungsoo BAEK, Seungjoo KIM** zizihacker@korea.ac.kr, baek.seungsoo@gmail.com, skim71@korea.ac.kr CIST (Center for Information Security Technologies), Korea University *1st Author, **Corresponding Author Case Study : DDoS Attack on DNS using infected IoT Devices ACSAC 2015

2. 2 Acknowledgement This research was supported by the MSIP(Ministry of Science, ICT and Future Planning), Korea, under the ITRC(Information Technology Research Center) support program (IITP-2015-R0992-15-1006) supervised by the IITP(Institute for Information & communications Technology Promotion)

3. 3 Internet down after cyberattack 29 November, 2014 15,000,000 packets per second SK Broadband, one of the largest providers of broadband Internet access in Korea, was attacked by the Distributed Denial-of-Service (DDoS) over the weekend, disconnecting its Internet services for about an hour. DDoS is a kind of cyberattack in which multiple compromised systems are used to target a single network or a machine and make it unavailable to users. On Saturday at 10:55 a.m., the traffic on SK Broadband’s DNS server soared up to 15 million packets per second (PPS), from its usual average of about 1 million PPS. PPS refers to the number of database transactions performed per second. SK Broadband users near Seocho and Dongjak distrcts in southern Seoul were without Internet from 10:55 a.m. until 12:05 p.m. on Saturday. [1] Internet down after cyberattack (JOONGANG DAILY, Dec 2014)

4. 4 Internet down after cyberattack 169,640 182,589 9,136,090 # DNS Request Queries /1 Minute more 50 times traffic incoming for DDoS attack Time DNS Request queries Nov 29th, 2014 Avg. queries

5. 5 How to detect DDoS attack • Our own <Near-Real Time DNS Query Analyzing System for Detecting DDoS Attacks>

6. 6 How to detect DDoS attack • Our own <Near-Real Time DNS Query Analyzing System for Detecting DDoS Attacks> [2] Study on the near-real time DNS query analyzing system for DNS amplification attacks, KIISC (2015)

7. 7 Zombie PCs? Zombie Devices! • We analyzed the IP addresses of packets and found out the cause of attack. • The attack came from IoT devices such as home routers, network switches, network-connected CCTVs and STBs(SetTop Box) of IPTV, not computers which are generally used for DDoS attack.

8. 8 Benefits of IoT device for DDoS Why do attacker want to use IoT device for DDoS attack? Any TIME communication Any THING communication Any PLACE communication • on the move • night • daytime • outdoor • indoor (away from the computer) • at the computer • between computers • human to human, not using a computer • human to thing, using generic equipment • thing to thing [3] The new dimension introduced in the Internet of things - Recommendation ITU-T Y.2060 (06/2012)

9. 9 Top 10 IoT Vulnerabilities (2014) A list of the top 10 internet of things vulnerabilities [4] OWASP Internet of Things Project (https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project) Rank Title I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security

10. 10 Case 1. Home router • Tracing source IP addresses of DDoS and identifying the devices

11. 11 Case 1. Home router • Connecting to admin pages of home router

12. 12 Case 1. Home router • Connecting to telnet for analysis • Some weird processes are running.

13. 13 Case 1. Home router • Download firmware from the home router • Reverse engineer the firmware - Use busybox to download malware - 192.3.205.154 is used as C&C and distribution server - 217.71.50.13 is used as distribution server

14. 14 Case 1. Home router • It would spread by finding new devices using a random scan of IP address. TCP <target> <port (0 for random)> <time> <netmask (32 for non spoofed)> <flags (syn, ack, psh, rst, fin, all) comma seperated> (packet size, usually 0) (time poll interval, default 10)

15. 15 Case 1. Home router • Get malwares from the distribution server and bin.sh Name Size arm 98KB arm.i64 1,105KB i586 77KB i586.i64 985KB i686 79KB mips 122KB mipsel 125KB ppc 92KB sparc 105KB superh 60KB

16. 16 Case 2. Network Switch • Similar to “Case 1”, but something is different

17. 17 Case 2. Network Switch

18. 18 Case 2. Network Switch • Malicious commands

19. 19 Case 2. Network Switch • Source code [5] Lightaidra, https://github.com/eurialo/lightaidra

20. 20 Case 2. Network Switch Basic group Aidra group File list arm, mips, mipsel, ppc,s,sh mips_aidra, superh_aidra, arm_aidra, mipsel _aidra C&C or distribution Server IP automation.whatismyip.com (72.233.89.199) IRC connect 76.73.104.50:6667 76.73.103.60:6667 76.73.104.243:6667 205.188.14.92:6667 Command list Access Commands (login/logout) Miscs Commands (run/check) Scan Commands (scan) DDoS Commands .spoof <IP> : ip spoofing attack .synflood , .nssynflood .ackflood, .nsackflood Attack Command .synflood .*flood->[m,a,p,s,x] <example> .nssynflood->s <host> <port> <secs> * : syn, nssyn, ack, nsack a=arm / p=ppc / s=superh / x=x86

21. 21 Case 2. Network Switch Basic group Aidra group configure spoof (ip spoofing) advscan (after scan on B Class, check id/pass or access telnet to infect to device ) Attack running Version check Run attack script include update malware) /var/run/getbinaries.sh mips_aidra superh_aidra arm_aidra ppc_aidra </var/run/getbinaries.sh > 76.73.104.50 46.40.191.171 <OOO_aidra> 217.23.10.250

22. 22 Case 3. CCTV • Trace source IP address of DDoS attack and find out a management page of CCTV

23. 23 Case 3. CCTV • Malwares on CCTV - password is changed - update with infected firmware (get root permission) • rtsp://<CCTV IP>/trackID=1&basic_auth=base64([id:pw]) - root / (empty) - root / root - root / admin - admin / admin - admin / 1234 - admin / 12345 - admin / smcadmin - admin / (empty)

24. 24 Case 3. CCTV • Scanning 120,000,000 IP over the internet with the tool and found 23,507 CCTV IP • Vulnerable CCTVs are 9,063 among them • Default id, password are commonly used

25. 25 A mount of infected device • Approximately 2,000,000,000 of IP Home router, 1,151,940 Network Switch, 19,754 CCTV, 23,507 STB, 2 others, 4,349 (0.36%) (96.03%) (1.65%) (1.95%) (0.00%)

26. 26 Infection flow of IoT Attacker or infected IoT device IoT device (Victim) ① IP range scan ② access to victim’s IP through telnet or web ③ attack with default (ID, password) or remote command execution ④ upload malicious code ① delete temp files and directories ② kill main services(telnet, main daemon and…) ③ download & overwrite infected busybox from C&C server ④ delete the downloaded file at ③ ⑤ overwrite infected busybox to main daemon ⑥ delete the infected busybox at ⑤ ⑦ execute main deamon ⑧ block and kill telnet, ssh using iptables for protecting itself External infection flow Internal infection flow

27. 27 Conclusion • The Internet of Things(IoT) is beginning to grow significantly. • IoT devices have many vulnerabilities. • All devices can be zombie devices. • We need more active defenses.

28. 28 Future works • Automatic vulnerabilities scanner for IoT

31. 31 E-Mail : zizihacker@korea.ac.kr, zizihacker@gmail.com Thanks for your attention. Questions ?

DDoS Attack on DNS using infected IoT Devices

You are reading a preview.

Check these out next

DDoS Attack on DNS using infected IoT Devices

More Related Content

Slideshows for you (20)

Viewers also liked (20)

Similar to DDoS Attack on DNS using infected IoT Devices (20)

More from Seungjoo Kim (20)

Recently uploaded (20)