measurement and analysis of hajime a peer to peer iot
play

Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet - PowerPoint PPT Presentation

Jan 20, 2023 •49 likes •569 views

Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet Stephen Herwig Katura Harvey George Hughey Richard Roberts Dave Levin University of Maryland The Max Planck Institute + for Software Systems Rise of IoT Botnets

  1. Measurement and Analysis of Hajime: 
 a Peer-to-peer IoT Botnet Stephen Herwig Katura Harvey George Hughey Richard Roberts Dave Levin University of Maryland The Max Planck Institute + for Software Systems

  2. Rise of IoT Botnets Resilient C&C Hajime Targets many CPU arches Scanning behavior arch-specific Continuously deploys new exploits

  3. Talk Overview Describe Hajime P2P network Our measurement infrastructure Heterogeneous botnet composition Analyze Impact of three exploit deployments Discuss Challenges of new, resilient botnets

  4. BitTorrent’s P2P Network Uses a DHT to track who is downloading what

  5. BitTorrent’s P2P Network Uses a DHT to track who is downloading what announce hash (F) Hosting 
 file named F

  6. BitTorrent’s P2P Network Uses a DHT to track who is downloading what announce hash (F) Hosting 
 file named F Hosting hash (F)

  7. BitTorrent’s P2P Network Uses a DHT to track who is downloading what announce hash (F) Hosting 
 file named F Hosting hash (F) lookup hash (F) Wants to 
 download F Provides random subsets of current uploaders

  8. BitTorrent’s P2P Network Uses a DHT to track who is downloading what announce hash (F) Hosting 
 file named F Hosting hash (F) lookup hash (F) Wants to 
 download F Provides random subsets of current uploaders

  9. Hajime’s P2P Network ① Uses BitTorrent’s DHT to find other bots announce hash (F) Hosting Hosting hash (F) lookup hash (F) Downloading Random 
 subset

  10. Hajime’s P2P Network ① Uses BitTorrent’s DHT to find other bots announce hash (F) Date Every day, 
 bots are announcing Once per day File type their actions .i – “infect” .atk – “attack” Architecture MIPS little endian and their devices’ 
 MIPS big endian architectures ARM v5 ARM v6 ARM v7 Hajime’s design is primed for measurement!

  11. Hajime’s P2P Network ② Fetch files directly from one another announce hash (F) Hosting Hosting hash (F) lookup hash (F) Downloading

  12. Hajime’s P2P Network ② Fetch files directly from one another Hosting Key exchange Request File Downloading Keys provide long-lived identifiers

  13. Hajime’s P2P Network ① Uses BitTorrent’s DHT to find other bots Difficult to take down Hajime 
 (without also taking down BitTorrent) ② Fetch files directly from one another Difficult to centrally monitor Hajime is a resilient next step in IoT botnets

  14. Measuring Hajime’s P2P network ① Exhaustively list all peers lookup hash (F) Hosting hash (F) Random 
 subset

  15. Measuring Hajime’s P2P network ① Exhaustively list all peers lookup hash (F) Hosting hash (F)

  16. Measuring Hajime’s P2P network ① Exhaustively list all peers lookup hash (F) Hosting hash (F)

  17. Measuring Hajime’s P2P network ① Exhaustively list all peers i/mipseb/today atk/arm5/yesterday atk/arm7/today i/mipsel/tomorrow Every 16 minutes for 4 months 
 5,404,045 total IP addresses found

  18. Measuring Hajime’s P2P network ② Obtain each Hajime bot’s public key Key exchange 10,536,174 total keys found

  19. Measuring Hajime’s P2P network ② Obtain each Hajime bot’s public key NATs undercount bots based on IPs 120K 100K 80K Keys Iran 60K Mexico China India 40K South Korea United States Turkey 20K Russia Indonesia 0 0 20K 40K 60K 80K 100K Key exchange IPs 10,536,174 total keys found

  20. Measuring Hajime’s P2P network ② Obtain each Hajime bot’s public key IP reassignment overcounts bots based on IPs 900K 800K 700K 600K Iran 500K Keys Mexico China 400K India South Korea 300K United States Turkey 200K Russia Indonesia 100K Brazil 0 0 100K 200K 300K 400K 500K 600K 700K 800K 900K Key exchange IPs 10,536,174 total keys found

  21. Datasets Jan 25, 2018 – Jun 1, 2018 Key scans Reverse eng DHT scans 10,536,174 
 47 modules 
 5,404,045 
 unique keys 34 .atk, 13 .i unique IP addresses All available at iot.cs.umd.edu

  22. Analysis Questions Characteristics How large is the botnet? Where are bots located? What devices makeup the botnet? Dynamics How do exploits change the botnet? How quickly does Hajime update itself? How does Hajime deploy new exploits?

  23. How big is Hajime? 100K atk.mipseb update 90K .i.mipseb update 80K Number of distinct bots 70K 60K 50K 40K 30K 20K 10K 0K 01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01 Time (20-minute bins)

  24. How big is Hajime? 100K atk.mipseb update 90K .i.mipseb update 80K Number of distinct bots 70K 60K 50K 40K 30K 20K 10K 0K 01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01 Time (20-minute bins) Peaks of 95K after Chimay-Red and GPON exploits Steady-state of ~40K bots

  25. Where are bots located? Others Mexico S. Korea Russia Brazil China US Indonesia Iran India Turkey 100K 90K atk.mipseb update Number of distinct bots .i.mipseb update 80K 70K 60K 50K 40K 30K 20K 10K 0K 01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01 Time (20-minute bins)

  26. Where are bots located? Others Mexico S. Korea Russia Brazil China US Indonesia Iran India Turkey 100K 90K atk.mipseb update Number of distinct bots .i.mipseb update 80K 70K 60K 50K 40K 30K 20K 10K 0K 01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01 Time (20-minute bins)

  27. Where are bots located? Others Mexico S. Korea Russia Brazil China US Indonesia Iran India Turkey 100K 90K atk.mipseb update Number of distinct bots .i.mipseb update 80K 70K 60K 50K 40K 30K 20K 10K 0K 01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01 Time (20-minute bins) Russia expanded 
 Chimay-Red 500 → 6,000 hourly The geographic makeup of IoT botnets can change rapidly

  28. Where are bots located? Others Mexico S. Korea Russia Brazil China US Indonesia Iran India Turkey 100K 90K atk.mipseb update Number of distinct bots .i.mipseb update 80K 70K 60K 50K 40K 30K 20K 10K 0K 01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01 Time (20-minute bins) Russia expanded 
 Mostly affected 
 Chimay-Red GPON Mexico 500 → 6,000 hourly The geographic makeup of IoT botnets can change rapidly

  29. What CPU architectures are most infected? 100K atk.mipseb update 90K .i.mipseb update mipseb 80K Number of distinct bots mipsel arm7 70K arm6 arm5 60K 50K 40K 30K 20K 10K 0K 01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01 Time (20-minute bins)

  30. What CPU architectures are most infected? 100K atk.mipseb update 90K .i.mipseb update mipseb 80K Number of distinct bots mipsel arm7 70K arm6 arm5 60K 50K 40K 30K 20K 10K 0K 01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01 Time (20-minute bins) Devices overwhelmingly run MIPS 74.2% of bot devices are MIPS big-endian (mipseb)

  31. How does CPU architecture vary by country? 5M 5M 4M 4M unknown Number of distinct bots mipseb 600K mipsel arm7 arm6 500K arm5 400K 300K 200K 100K 0K Brazil China Iran India Korea US Turkey Russia Mexico

  32. How does CPU architecture vary by country? After the introduction of the GPON vulnerability 5M 5M 4M 4M unknown Number of distinct bots mipseb 600K mipsel arm7 arm6 500K arm5 400K 300K 200K 100K 0K Brazil China Iran India Korea US Turkey Russia Mexico IoT botnets are highly heterogeneous across the world

  33. How does CPU architecture vary by country? After the introduction of the GPON vulnerability 5M 5M 4M 4M unknown Number of distinct bots mipseb 600K mipsel arm7 arm6 500K arm5 400K 300K 200K 100K 0K Brazil China Iran India Korea US Turkey Russia Mexico New vulnerabilities can lead to drastic changes in geography

  34. How does CPU architecture vary by country? After the introduction of the GPON vulnerability 5M 5M 4M 4M unknown Number of distinct bots mipseb 600K mipsel arm7 arm6 500K arm5 400K 300K 200K 100K 0K Mexico New vulnerabilities can lead to drastic changes in geography

  35. How does CPU architecture vary by country? Mexico changed from primarily ARM to primarily MIPS 5M 5M 4M 4M unknown mipseb Number of distinct bots mipsel 600K arm7 arm6 500K arm5 400K 300K 200K 100K 0K Mexico Mexico after before GPON GPON New vulnerabilities can lead to drastic changes in geography

  36. How does CPU architecture vary by country? Mexico changed from primarily ARM to primarily MIPS 5M 5M 4M 4M unknown mipseb Number of distinct bots mipsel 600K arm7 arm6 500K arm5 400K 300K 200K 100K 0K Mexico Mexico after before GPON GPON New vulnerabilities can lead to drastic changes in geography and composition

  37. What devices are infected? DHT scans Censys

  38. What devices are infected? DHT scans Censys No device information on over 80% of bot IP addresses Of those identifiable: 0.8% MikroTik day before Chimay-Red 80.3% day after

  39. How quickly does Hajime disseminate module updates? % of mipseb bots hosting or looking up each file version 100 80 % of bots per atk version 60 40 20 0 100 80 % of bots per .i version 60 40 20 0 03-15 03-29 04-12 04-26 05-10 05-24 Time (20-minute bins)

Recommend

Peer-to-Peer Networks 09 Random Graphs for Peer-to-Peer-Networks Christian Ortolf Technical

Peer-to-Peer Networks 09 Random Graphs for Peer-to-Peer-Networks Christian Ortolf Technical

Peer-to-Peer Networks 09 Random Graphs for Peer-to-Peer-Networks Christian Ortolf Technical Faculty Computer-Networks and Telematics University of Freiburg Peer-to-Peer Networking Facts Hostile environment - Legal situation - Egoistic

882 views • 57 slides
Comparing Hybrid Peer-to-Peer Hybrid peer-to-peer systems Systems Beverly Yang and Hector

Comparing Hybrid Peer-to-Peer Hybrid peer-to-peer systems Systems Beverly Yang and Hector

Comparing Hybrid Peer-to-Peer Hybrid peer-to-peer systems Systems Beverly Yang and Hector Garcia-Molina Pure peer-to-peer systems are hard to scale Gnutella Look at hybrids between p2p and server-client Presented by Marco Barreno Servers

282 views • 6 slides
THE PEER-TO-PEER NETWORK JOHN NEWBERY @jfnewbery github.com/jnewbery THE PEER-TO-PEER NETWORK

THE PEER-TO-PEER NETWORK JOHN NEWBERY @jfnewbery github.com/jnewbery THE PEER-TO-PEER NETWORK

THE PEER-TO-PEER NETWORK JOHN NEWBERY @jfnewbery github.com/jnewbery THE PEER-TO-PEER NETWORK Introduction Types of nodes Message format Control messages Transaction propagation Block propagation THE PEER TO PEER

767 views • 38 slides
Serverless networking (peer-to-peer computing) Peer-to-peer models Client-server computing

Serverless networking (peer-to-peer computing) Peer-to-peer models Client-server computing

5/7/08 Serverless networking (peer-to-peer computing) Peer-to-peer models Client-server computing servers provide special services to clients clients request service from a server Pure peer-peer computing all systems have equivalent

586 views • 20 slides
Analysis of Peer to Peer Communication in Networks 2/15/10 Prestige Lecture Purdue University 1

Analysis of Peer to Peer Communication in Networks 2/15/10 Prestige Lecture Purdue University 1

Analysis of Peer to Peer Communication in Networks 2/15/10 Prestige Lecture Purdue University 1 Outline of presentation Overview Fluid analysis (after Massoulie and Vojnovic) Direct stochastic analysis (work with Ji Zhu)

484 views • 32 slides
Peer-to-Peer Networking and Discovery Technologies Week 6 Whats Peer-to-Peer? A different

Peer-to-Peer Networking and Discovery Technologies Week 6 Whats Peer-to-Peer? A different

Peer-to-Peer Networking and Discovery Technologies Week 6 Whats Peer-to-Peer? A different network architecture than client/server Each peer is both a client and a server Appropriate for applications that dont require a

353 views • 11 slides
NSYNC Network Synchronization for Low-latency Peer-to-Peer Streaming Overlay Construction

NSYNC Network Synchronization for Low-latency Peer-to-Peer Streaming Overlay Construction

NSYNC Network Synchronization for Low-latency Peer-to-Peer Streaming Overlay Construction Shudong Jin Case Western Reserve University NEONet Workshop, March 1, 2006 Peer-to-Peer Streaming Peer-to-peer systems versus client/server systems

292 views • 15 slides
THE POLITICS OF BLOCKCHAIN From Primus Inter Pares to Peer-to-Peer HOW BLOCKCHAIN WORKS In

THE POLITICS OF BLOCKCHAIN From Primus Inter Pares to Peer-to-Peer HOW BLOCKCHAIN WORKS In

THE POLITICS OF BLOCKCHAIN From Primus Inter Pares to Peer-to-Peer HOW BLOCKCHAIN WORKS In peer-to-peer networks, all the operations Peer-to-peer networks Proof-of-work equally rely on each node in the system. Digital signature Registry

328 views • 18 slides
Economics of Peer-to-Peer Markets Jonathan Levin Stanford

Economics of Peer-to-Peer Markets Jonathan Levin Stanford

Economics of Peer-to-Peer Markets Jonathan Levin Stanford University Lear Conference July 25, 2015 1 Internet Marketplaces 2 On-Demand Services 3 Introduction Peer-to-peer

1.02k views • 25 slides
Application and analysis of random walks in peer-to-peer and ad hoc networks G. Halinger,

Application and analysis of random walks in peer-to-peer and ad hoc networks G. Halinger,

7. Wrzburger Workshop Univ. Wrzburg, 24.07.07 Application and analysis of random walks in peer-to-peer and ad hoc networks G. Halinger, T-Systems & S. Kempken, Univ. Duisburg-Essen E-Mail: gerhard.hasslinger@telekom.de &

443 views • 15 slides
Peer-to-Peer Computing Peer-to-Peer (P2P) employ distributed resources to perform function in a

Peer-to-Peer Computing Peer-to-Peer (P2P) employ distributed resources to perform function in a

Introduction Peer-to-Peer Computing Peer-to-Peer (P2P) employ distributed resources to perform function in a decentralized manner Resource can be: computing, storage, bandwidth Function can be: computing, data sharing, D.

625 views • 6 slides
5th Grade Peer Ambassadors Parkway Elementary What is a Peer Ambassador? A Peer Ambassador is a

5th Grade Peer Ambassadors Parkway Elementary What is a Peer Ambassador? A Peer Ambassador is a

5th Grade Peer Ambassadors Parkway Elementary What is a Peer Ambassador? A Peer Ambassador is a good role model! She or he proudly represents the 6 pillars of character: Trustworthiness, Respect, Responsibility, Fairness, Caring, Citizenship A

258 views • 7 slides
Analysis of peer-to-peer systems: workload characterization and ef- fects on traffic cacheability

Analysis of peer-to-peer systems: workload characterization and ef- fects on traffic cacheability

Analysis of peer-to-peer systems: workload characterization and ef- fects on traffic cacheability Mauro Andreolini University of Rome Tor Vergata Riccardo Lancellotti University of Modena and Reggio Emilia Philip S. Yu IBM T.J. Watson

358 views • 20 slides
AN ANALYSIS OF THE SKYPE PEER-TO-PEER INTERNET TELEPHONY PROTOCOL By Salman A. Baset and Henning

AN ANALYSIS OF THE SKYPE PEER-TO-PEER INTERNET TELEPHONY PROTOCOL By Salman A. Baset and Henning

AN ANALYSIS OF THE SKYPE PEER-TO-PEER INTERNET TELEPHONY PROTOCOL By Salman A. Baset and Henning Schulzrinne, Columbia University Presentation by Andrew Keating for CS577 Fall 2009 1 Outline 2 Skype Overview/Network and NAT Refresher

631 views • 48 slides
P2P: Distributed Hash Tables Chord + Routing Geometries Nirvan Tyagi CS 6410 Fall16

P2P: Distributed Hash Tables Chord + Routing Geometries Nirvan Tyagi CS 6410 Fall16

P2P: Distributed Hash Tables Chord + Routing Geometries Nirvan Tyagi CS 6410 Fall16 Peer-to-peer (P2P) Peer-to-peer (P2P) Decentralized! Hard to coordinate with peers joining and leaving Peer-to-peer (P2P) Napster (1999) Peer-to-peer

869 views • 68 slides
An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol Ai-Chun Pang Graduate

An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol Ai-Chun Pang Graduate

An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol Ai-Chun Pang Graduate Institute of Networking and Multim edia Dept. of Com p. Sci. and Info. Engr. National Taiwan University Whats Overlay Network Whats P2P ? &

879 views • 33 slides
Lets Put a Peer Worker on Campus! Keely Phillips, Self Help & Peer Support OPDI

Lets Put a Peer Worker on Campus! Keely Phillips, Self Help & Peer Support OPDI

Lets Put a Peer Worker on Campus! Keely Phillips, Self Help & Peer Support OPDI Conference, October 2018 About Self Help & Peer Support Peer Navigator Services at Conestoga College A full-time Peer Navigator will provide:

579 views • 16 slides
Simulation and Performance Analysis of Peer-to-Peer Network Games ENSC 835 High-Performance

Simulation and Performance Analysis of Peer-to-Peer Network Games ENSC 835 High-Performance

Simulation and Performance Analysis of Peer-to-Peer Network Games ENSC 835 High-Performance Networks Final Project Presentation Fall 2003 David Mikulec Email: dmikulec@sfu.ca / Web: www.sfu.ca/~ dmikulec Roadmap Introduction to

354 views • 23 slides
Peer-to-Peer Networks 14 Game Theory Christian Schindelhauer Technical Faculty

Peer-to-Peer Networks 14 Game Theory Christian Schindelhauer Technical Faculty

Peer-to-Peer Networks 14 Game Theory Christian Schindelhauer Technical Faculty Computer-Networks and Telematics University of Freiburg Literature Feldman, Chuang Overcoming Free-Riding Behavior in Peer-to-Peer Systems, 2005

449 views • 24 slides
Chor d: A Scalable Peer-t o-peer Lookup Chor d: A Scalable Peer-t o-peer Lookup Ser vice f or I

Chor d: A Scalable Peer-t o-peer Lookup Chor d: A Scalable Peer-t o-peer Lookup Ser vice f or I

Chor d: A Scalable Peer-t o-peer Lookup Chor d: A Scalable Peer-t o-peer Lookup Ser vice f or I nt er net Applicat ions Ser vice f or I nt er net Applicat ions Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan

533 views • 30 slides
Mathematical Analysis of Scheduling Policies in Peer-to-Peer Video Streaming Networks Pablo

Mathematical Analysis of Scheduling Policies in Peer-to-Peer Video Streaming Networks Pablo

Motivation Contributions Video on-demand Live Streaming Conclusions Mathematical Analysis of Scheduling Policies in Peer-to-Peer Video Streaming Networks Pablo Romero Facultad de Ingeniera, Universidad de la Repblica. PEDECIBA

648 views • 50 slides
Peer-to-Peer Networks 14 Security Christian Schindelhauer Technical Faculty Computer-Networks

Peer-to-Peer Networks 14 Security Christian Schindelhauer Technical Faculty Computer-Networks

Peer-to-Peer Networks 14 Security Christian Schindelhauer Technical Faculty Computer-Networks and Telematics University of Freiburg Free-Net Ian Clarke, Oskar Sandberg, Brandon Wiley, Theodore Hong, 2000 Goal - peer-to-peer network -

746 views • 36 slides
Peer to Peer Learning & Support Aims and Objectives of this Workshop Workshop 3: Peer to

Peer to Peer Learning & Support Aims and Objectives of this Workshop Workshop 3: Peer to

Peer to Peer Learning & Support Aims and Objectives of this Workshop Workshop 3: Peer to Peer Learning & Support is designed to encourage peer to peer support, learning and development and sharing best practice amongst the

495 views • 11 slides
Outline What is the proposed e-Science Desktop Peer and why. P2P-DVM, a prototype of

Outline What is the proposed e-Science Desktop Peer and why. P2P-DVM, a prototype of

Realizing the e-Science Desktop Peer Using a Peer-to-Peer Distributed Virtual Machine Middleware. Lei Ni, Aaron Harwood and Peter J. Stuckey NICTA Victoria Labs, Australia, Department of Computer Science and Software Engineering, The

459 views • 12 slides

More recommend