Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DDoS Attack on DNS using infected IoT Devices


Published on

[Case Study] DDoS Attack on DNS using infected IoT Devices @ ACSAC 2015 (The 31st Annual Computer Security Applications Conference 2015), which is one of the most important cyber security conferences in the world and the oldest information security conference held annually

Published in: Engineering

DDoS Attack on DNS using infected IoT Devices

  1. 1. SANE(Security Analysis aNd Evaluation) Lab. Ki-Taek LEE*, Seungsoo BAEK, Seungjoo KIM**,, CIST (Center for Information Security Technologies), Korea University *1st Author, **Corresponding Author Case Study : DDoS Attack on DNS using infected IoT Devices ACSAC 2015
  2. 2. 2 Acknowledgement This research was supported by the MSIP(Ministry of Science, ICT and Future Planning), Korea, under the ITRC(Information Technology Research Center) support program (IITP-2015-R0992-15-1006) supervised by the IITP(Institute for Information & communications Technology Promotion)
  3. 3. 3 Internet down after cyberattack 29 November, 2014 15,000,000 packets per second SK Broadband, one of the largest providers of broadband Internet access in Korea, was attacked by the Distributed Denial-of-Service (DDoS) over the weekend, disconnecting its Internet services for about an hour. DDoS is a kind of cyberattack in which multiple compromised systems are used to target a single network or a machine and make it unavailable to users. On Saturday at 10:55 a.m., the traffic on SK Broadband’s DNS server soared up to 15 million packets per second (PPS), from its usual average of about 1 million PPS. PPS refers to the number of database transactions performed per second. SK Broadband users near Seocho and Dongjak distrcts in southern Seoul were without Internet from 10:55 a.m. until 12:05 p.m. on Saturday. [1] Internet down after cyberattack (JOONGANG DAILY, Dec 2014)
  4. 4. 4 Internet down after cyberattack 169,640 182,589 9,136,090 # DNS Request Queries /1 Minute more 50 times traffic incoming for DDoS attack Time DNS Request queries Nov 29th, 2014 Avg. queries
  5. 5. 5 How to detect DDoS attack • Our own <Near-Real Time DNS Query Analyzing System for Detecting DDoS Attacks>
  6. 6. 6 How to detect DDoS attack • Our own <Near-Real Time DNS Query Analyzing System for Detecting DDoS Attacks> [2] Study on the near-real time DNS query analyzing system for DNS amplification attacks, KIISC (2015)
  7. 7. 7 Zombie PCs? Zombie Devices! • We analyzed the IP addresses of packets and found out the cause of attack. • The attack came from IoT devices such as home routers, network switches, network-connected CCTVs and STBs(SetTop Box) of IPTV, not computers which are generally used for DDoS attack.
  8. 8. 8 Benefits of IoT device for DDoS Why do attacker want to use IoT device for DDoS attack? Any TIME communication Any THING communication Any PLACE communication • on the move • night • daytime • outdoor • indoor (away from the computer) • at the computer • between computers • human to human, not using a computer • human to thing, using generic equipment • thing to thing [3] The new dimension introduced in the Internet of things - Recommendation ITU-T Y.2060 (06/2012)
  9. 9. 9 Top 10 IoT Vulnerabilities (2014) A list of the top 10 internet of things vulnerabilities [4] OWASP Internet of Things Project ( Rank Title I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security
  10. 10. 10 Case 1. Home router • Tracing source IP addresses of DDoS and identifying the devices
  11. 11. 11 Case 1. Home router • Connecting to admin pages of home router
  12. 12. 12 Case 1. Home router • Connecting to telnet for analysis • Some weird processes are running.
  13. 13. 13 Case 1. Home router • Download firmware from the home router • Reverse engineer the firmware - Use busybox to download malware - is used as C&C and distribution server - is used as distribution server
  14. 14. 14 Case 1. Home router • It would spread by finding new devices using a random scan of IP address. TCP <target> <port (0 for random)> <time> <netmask (32 for non spoofed)> <flags (syn, ack, psh, rst, fin, all) comma seperated> (packet size, usually 0) (time poll interval, default 10)
  15. 15. 15 Case 1. Home router • Get malwares from the distribution server and Name Size arm 98KB arm.i64 1,105KB i586 77KB i586.i64 985KB i686 79KB mips 122KB mipsel 125KB ppc 92KB sparc 105KB superh 60KB
  16. 16. 16 Case 2. Network Switch • Similar to “Case 1”, but something is different
  17. 17. 17 Case 2. Network Switch
  18. 18. 18 Case 2. Network Switch • Malicious commands
  19. 19. 19 Case 2. Network Switch • Source code [5] Lightaidra,
  20. 20. 20 Case 2. Network Switch Basic group Aidra group File list arm, mips, mipsel, ppc,s,sh mips_aidra, superh_aidra, arm_aidra, mipsel _aidra C&C or distribution Server IP ( IRC connect Command list Access Commands (login/logout) Miscs Commands (run/check) Scan Commands (scan) DDoS Commands .spoof <IP> : ip spoofing attack .synflood , .nssynflood .ackflood, .nsackflood Attack Command .synflood .*flood->[m,a,p,s,x] <example> .nssynflood->s <host> <port> <secs> * : syn, nssyn, ack, nsack a=arm / p=ppc / s=superh / x=x86
  21. 21. 21 Case 2. Network Switch Basic group Aidra group configure spoof (ip spoofing) advscan (after scan on B Class, check id/pass or access telnet to infect to device ) Attack running Version check Run attack script include update malware) /var/run/ mips_aidra superh_aidra arm_aidra ppc_aidra </var/run/ > <OOO_aidra>
  22. 22. 22 Case 3. CCTV • Trace source IP address of DDoS attack and find out a management page of CCTV
  23. 23. 23 Case 3. CCTV • Malwares on CCTV - password is changed - update with infected firmware (get root permission) • rtsp://<CCTV IP>/trackID=1&basic_auth=base64([id:pw]) - root / (empty) - root / root - root / admin - admin / admin - admin / 1234 - admin / 12345 - admin / smcadmin - admin / (empty)
  24. 24. 24 Case 3. CCTV • Scanning 120,000,000 IP over the internet with the tool and found 23,507 CCTV IP • Vulnerable CCTVs are 9,063 among them • Default id, password are commonly used
  25. 25. 25 A mount of infected device • Approximately 2,000,000,000 of IP Home router, 1,151,940 Network Switch, 19,754 CCTV, 23,507 STB, 2 others, 4,349 (0.36%) (96.03%) (1.65%) (1.95%) (0.00%)
  26. 26. 26 Infection flow of IoT Attacker or infected IoT device IoT device (Victim) ① IP range scan ② access to victim’s IP through telnet or web ③ attack with default (ID, password) or remote command execution ④ upload malicious code ① delete temp files and directories ② kill main services(telnet, main daemon and…) ③ download & overwrite infected busybox from C&C server ④ delete the downloaded file at ③ ⑤ overwrite infected busybox to main daemon ⑥ delete the infected busybox at ⑤ ⑦ execute main deamon ⑧ block and kill telnet, ssh using iptables for protecting itself External infection flow Internal infection flow
  27. 27. 27 Conclusion • The Internet of Things(IoT) is beginning to grow significantly. • IoT devices have many vulnerabilities. • All devices can be zombie devices. • We need more active defenses.
  28. 28. 28 Future works • Automatic vulnerabilities scanner for IoT
  29. 29. 29 Future works • Automatic vulnerabilities scanner for IoT
  30. 30. 30 Future works • Automatic vulnerabilities scanner for IoT
  31. 31. 31 E-Mail :, Thanks for your attention. Questions ?