only post comments made by the speakers or panelists do
play

Only post comments made by the speakers or panelists Do not post - PowerPoint PPT Presentation

Dec 04, 2023 •168 likes •823 views

Social Media Posting Allowed Tweeter, Facebook, LinkedIn, other social media posts are welcomed in this session if you: Only post comments made by the speakers or panelists Do not post comments or questions from the

  1. – Social Media Posting Allowed – 
 Tweeter, Facebook, LinkedIn, other social media posts 
 are welcomed in this session if you: 
 • Only post comments made by the speakers or panelists • Do not post comments or questions from the audience 
 (but you can share the speakers’ responses to questions) • Do not post the name, position or company of other meeting attendees • Do not post conversations with attendees • M 3 AAWG is not a deliverability conference; we are: • An industry working group meeting • An anti-abuse conference, or • A gathering of security experts • All of the M 3 AAWG Membership, Trademarks and Logo guidelines apply ( https://www.m3aawg.org/members/how-promote-m3aawg#TrademarkGuidelines ) • Appreciate a shout out to @maawg and #m3aawg42 M3AAWG 42nd General Meeting | San Francisco | February 2018

  2. Understanding the Mirai Botnet Manos Antonakakis ✝ , Tim April ◆ , Michael Bailey ★ , Matthew Bernhard ‡ , Elie Bursztein ✱ Jaime Cochran △ , Michalis Kallitsis ● , Damian Menscher ✱ , Zakir Durumeric ‡ Deepak Kumar ★ , Chad Seaman ◆ , J. Alex Halderman ‡ , Luca Invernizzi ✱ , Chaz Lever ✝ Zane Ma ★ , Joshua Mason ★ , Nick Sullivan △ , Kurt Thomas ✱ , Yi Zhou ★ ◆ Akamai Technologies, △ Cloudflare, ✝ Georgia Institute of Technology, ✱ Google, ● Merit Network ★ University of Illinois Urbana-Champaign , ‡ University of Michigan Understanding the Mirai Botnet ▪︎ Zane Ma 2

  3. Internet of Things 2016 2020 6 - 9 Billion ~30 Billion Understanding the Mirai Botnet ▪︎ Zane Ma 3

  4. IoT Botnets 2012 Carna Botnet 2015 BASHLITE / gafgyt 420,000 devices 1,000,000 devices Understanding the Mirai Botnet ▪︎ Zane Ma 4

  5. Mirai Understanding the Mirai Botnet ▪︎ Zane Ma 5

  6. Lifecycle Attacker • Fast, stateless port-scanning: �� Send command SYN w/ TCP seq # = dest IP Command Report �� Dispatch Loader • Check for SYN-ACKs where & Control Server Infrastructure TCP seq # = src IP + 1 �� Relay ��� Load � � Report • Raw socket, requires root Devices �� Scan Victim Bots • If port open, brute force telnet � Attack login credentials DDoS Target Understanding the Mirai Botnet ▪︎ Zane Ma 6

  7. Lifecycle Attacker • Reports successful IP:port, �� Send command username:password Command Report �� Dispatch Loader • Report server aggregates & Control Server Infrastructure results �� Relay ��� Load � � Report Devices �� Scan Victim Bots � Attack DDoS Target Understanding the Mirai Botnet ▪︎ Zane Ma 7

  8. Lifecycle Attacker • Asynchronous from scanning �� Send command + reporting Command Report �� Dispatch Loader • Supports building up potential & Control Server Infrastructure “hit list” �� Relay ��� Load � � Report Devices �� Scan Victim Bots � Attack DDoS Target Understanding the Mirai Botnet ▪︎ Zane Ma 8

  9. Lifecycle Attacker • Determines architecture, �� Send command wget/tftp 1 out of 9 archs. Command Report �� Dispatch Loader • Defensive - kills competing & Control Server Infrastructure Mirai, and any processes �� Relay ��� Load � � Report listening on HTTP/Telnet/SSH Devices �� Scan Victim • Obfuscates process name Bots and removes executable - � Attack does not survive reboots DDoS Target Understanding the Mirai Botnet ▪︎ Zane Ma 9

  10. Lifecycle Attacker • Simple attack API - �� Send command configurable duration, attack size (# bots), IP spoofing Command Report �� Dispatch Loader & Control Server Infrastructure • Supports 10 attack types, �� Relay ��� Load � � Report volumetric/TCP/application Devices �� Scan Victim Bots � Attack DDoS Target Understanding the Mirai Botnet ▪︎ Zane Ma 10

  11. Lifecycle Attacker • C&C resolves domains, �� Send command issues attacks on IPs Command Report �� Dispatch Loader & Control Server Infrastructure �� Relay ��� Load � � Report Devices �� Scan Victim Bots � Attack DDoS Target Understanding the Mirai Botnet ▪︎ Zane Ma 11

  12. Lifecycle Attacker • Attacks do not interrupt �� Send command scanning Command Report �� Dispatch Loader • Fingerprintable application & Control Server Infrastructure level packets �� Relay ��� Load � � Report • Configurable reflection / Devices �� Scan Victim amplification attacks Bots � Attack DDoS Target Understanding the Mirai Botnet ▪︎ Zane Ma 12

  13. Measurement Attacker Data Source Size �� Send command Network Telescope 4.7M unused IPs Command Report �� Dispatch Loader • 0.1% of IPv4 address space & Control Server Infrastructure �� Relay ��� Load � • 1.1M packets / min � Report • Look for Mirai fingerprint Devices �� Scan Victim Bots � Attack DDoS Target Understanding the Mirai Botnet ▪︎ Zane Ma 13

  14. Measurement Attacker Data Source Size �� Send command Network Telescope 4.7M unused IPs Command Report �� Dispatch Loader • 0.1% of IPv4 address space & Control Server Infrastructure �� Relay ��� Load � • 1.1M packets / min � Report • Look for Mirai fingerprint Devices �� Scan Victim Bots • Handling IP churn: look for active � Attack concurrent scans DDoS Target Understanding the Mirai Botnet ▪︎ Zane Ma 14

  15. Measurement Attacker Data Source Size �� Send command Network Telescope 4.7M unused IPs Active Scanning 136 IPv4 scans Command Report �� Dispatch Loader & Control Server Infrastructure • Application protocol banners �� Relay ��� Load � � Report (telnet, FTP, HTTP, etc.) Devices �� Scan Victim • Device attribution: NMap service Bots probes, manual labeling � Attack DDoS Target Understanding the Mirai Botnet ▪︎ Zane Ma 15

  16. Measurement Attacker Data Source Size �� Send command Network Telescope 4.7M unused IPs Active Scanning 136 IPv4 scans Command Report �� Dispatch Loader & Control Server Infrastructure • Application protocol banners �� Relay ��� Load � � Report (telnet, FTP, HTTP, etc.) Devices �� Scan Victim • Device attribution: NMap service Bots probes, manual labeling � Attack • Future work: Individual device DDoS Target fingerprinting Understanding the Mirai Botnet ▪︎ Zane Ma 16

  17. Measurement Attacker Data Source Size �� Send command Network Telescope 4.7M unused IPs Active Scanning 136 IPv4 scans Command Report �� Dispatch Loader & Control Server Infrastructure Telnet Honeypots 434 binaries �� Relay ��� Load � � Report • Busybox shell that accepts any telnet login credentials Devices �� Scan Victim Bots • Used collected binaries to � Attack generate YARA rules DDoS Target Understanding the Mirai Botnet ▪︎ Zane Ma 17

  18. Measurement Attacker Data Source Size �� Send command Network Telescope 4.7M unused IPs Active Scanning 136 IPv4 scans Command Report �� Dispatch Loader & Control Server Infrastructure Telnet Honeypots 434 binaries �� Relay ��� Load � Malware Repository 594 binaries � Report • Found VirusTotal binaries Devices �� Scan Victim matching YARA rules Bots � Attack DDoS Target Understanding the Mirai Botnet ▪︎ Zane Ma 18

  19. Measurement Attacker Data Source Size �� Send command Network Telescope 4.7M unused IPs Active Scanning 136 IPv4 scans Command Report �� Dispatch Loader & Control Server Infrastructure Telnet Honeypots 434 binaries �� Relay ��� Load � Malware Repository 594 binaries � Report Active/Passive DNS 499M daily RRs Devices �� Scan Victim • Active = Thales DNS monitoring Bots system, using zone files, domain lists � Attack • Passive = Resource Records from DDoS Target large US ISP Understanding the Mirai Botnet ▪︎ Zane Ma 19

  20. Measurement Attacker Data Source Size �� Send command Network Telescope 4.7M unused IPs Active Scanning 136 IPv4 scans Command Report �� Dispatch Loader & Control Server Infrastructure Telnet Honeypots 434 binaries �� Relay ��� Load � Malware Repository 594 binaries � Report Active/Passive DNS 499M daily RRs Devices �� Scan Victim C2 Milkers 64K issued attacks Bots • C&C doesn’t authenticate / � Attack validate connecting bots DDoS Target Understanding the Mirai Botnet ▪︎ Zane Ma 20

  21. Measurement Attacker Data Source Size �� Send command Network Telescope 4.7M unused IPs Active Scanning 136 IPv4 scans Command Report �� Dispatch Loader & Control Server Infrastructure Telnet Honeypots 434 binaries �� Relay ��� Load � Malware Repository 594 binaries � Report Active/Passive DNS 499M daily RRs Devices �� Scan Victim C2 Milkers 64K issued attacks Bots Krebs DDoS Attack 170K attacker IPs � Attack DDoS Target Understanding the Mirai Botnet ▪︎ Zane Ma 21

Recommend

Open floor discussions Speakers for each day: please sit in the first row We are

Open floor discussions Speakers for each day: please sit in the first row We are

Open floor discussions Speakers for each day: please sit in the first row We are collecting everyone's input and want comments! Tweet to the hashtag: #microbiome Or use the NIH email: hmvision@nih.gov Or post questions on

421 views • 16 slides
How Much Data Is Enough To Approve A COVID-19 Vaccine? Speakers Moderator Panelists Sarah

How Much Data Is Enough To Approve A COVID-19 Vaccine? Speakers Moderator Panelists Sarah

How Much Data Is Enough To Approve A COVID-19 Vaccine? Speakers Moderator Panelists Sarah Karlin-Smith Jonathan Ellen Holly Fernandez Lynch Senior Writer, Pink Sheet Epidemiologist & Former John Russell Dickson, MD Hospital CEO And

368 views • 13 slides
Harnessing the Power of the Oceans SPEAKERS Panelists H.E. Nani Chrougha, Minister of Fisheries

Harnessing the Power of the Oceans SPEAKERS Panelists H.E. Nani Chrougha, Minister of Fisheries

SESSION 2: COASTAL STATES From Living on the Edge to Harnessing the Power of the Oceans SPEAKERS Panelists H.E. Nani Chrougha, Minister of Fisheries and Maritime Economy, Mauritania H.E. Agostinho Salvador Mondlane , Minister of the

311 views • 3 slides
Presentation made at the first session of inter-governmental negotiation on Post-2015 Agenda

Presentation made at the first session of inter-governmental negotiation on Post-2015 Agenda

Towards a UN Declaration in the Context of Post-2015 Development Agenda - A Check List by Debapriya Bhattacharya , PhD Chair, Southern Voice on Post-MDGs and Distinguished Fellow, Centre for Policy Dialogue (CPD) Presentation made at the

719 views • 20 slides
Welcome the session, please also post them in the chat box. We will do our best to address them

Welcome the session, please also post them in the chat box. We will do our best to address them

Please post your organization, location, and role in the chat box. If additional people are attending the webinar with you, please post their first and last names as well. If you have questions or comments during Welcome the

538 views • 50 slides
REBUILDING OUR ECONOMY POST COVID-19: GUARANTEES Panelists Joel Smith, Native American Bank

REBUILDING OUR ECONOMY POST COVID-19: GUARANTEES Panelists Joel Smith, Native American Bank

#OCAC20 #OCAC20 #OCAC20 REBUILDING OUR ECONOMY POST COVID-19: GUARANTEES Panelists Joel Smith, Native American Bank Christine Ryan, The California Endowment Teri Lovelace, LOCUS Impact Investing/Community Investment Guarantee Pool June 24,

232 views • 12 slides
1 2 Post-Recession Life Sciences: Post-Recession Life Sciences: Achieving Success in the

1 2 Post-Recession Life Sciences: Post-Recession Life Sciences: Achieving Success in the

1 2 Post-Recession Life Sciences: Post-Recession Life Sciences: Achieving Success in the Current Achieving Success in the Current Economic Environment Economic Environment Panelists Panelists Moderated by : Jam James C. Chapm s C.

462 views • 9 slides
Discussion on DSM topics during workshop 27 Oct 2015 Please post questions, comments, discussion

Discussion on DSM topics during workshop 27 Oct 2015 Please post questions, comments, discussion

Discussion on DSM topics during workshop 27 Oct 2015 Please post questions, comments, discussion ideas on the lines below... How can we model system behavior in a more abstract way? Are automata suitable? Perhaps there are some problems

216 views • 5 slides
Next Generation ACO Model Benefit Enhancements March 28, 2017 Disclaimer The comments made on

Next Generation ACO Model Benefit Enhancements March 28, 2017 Disclaimer The comments made on

Next Generation ACO Model Benefit Enhancements March 28, 2017 Disclaimer The comments made on this call are offered only for general informational and educational purposes. As always, the agencys positions on matters may be subject to

507 views • 22 slides
Todays Class: Post-COVID safety measures for employees Speakers Thomas Goldsby Michel

Todays Class: Post-COVID safety measures for employees Speakers Thomas Goldsby Michel

Todays Class: Post-COVID safety measures for employees Speakers Thomas Goldsby Michel Perez-Guzman Professor Director of Professional Services James A. Haslam, II Chair of Logistics Krber Supply Chain The University of Tennessee

157 views • 12 slides
Made in Africa Learning to Compete In Industry Comments and Responses Haroon Bhorat UNU-WIDER

Made in Africa Learning to Compete In Industry Comments and Responses Haroon Bhorat UNU-WIDER

Made in Africa Learning to Compete In Industry Comments and Responses Haroon Bhorat UNU-WIDER Annual Development Conference Helsinki, Finland 13-15 September, 2018 Five Key Observations 1. The Nuances in Africas Manufacturing Malaise 2.

646 views • 8 slides
Growing Writers in FWISD 8 th Grade Teachers Waiver Day: October 9, 2017 Please post comments

Growing Writers in FWISD 8 th Grade Teachers Waiver Day: October 9, 2017 Please post comments

Growing Writers in FWISD 8 th Grade Teachers Waiver Day: October 9, 2017 Please post comments and photos about your learning today @FWISD_Lit2 1 Date of Presentation 3 Things On the back of , your name tent, write 3 things you know,

498 views • 35 slides
Growing Writers in FWISD 7 th Grade Teachers Waiver Day: October 9, 2017 Please post comments

Growing Writers in FWISD 7 th Grade Teachers Waiver Day: October 9, 2017 Please post comments

Growing Writers in FWISD 7 th Grade Teachers Waiver Day: October 9, 2017 Please post comments and photos about your learning today @FWISD_Lit2 1 Date of Presentation 3 Things On the back of , your name tent, write 3 things you know,

370 views • 34 slides
Quantifying Project Impacts from COVID-19 MAY 14, 2020 1 Todays Speakers Moderator Joe

Quantifying Project Impacts from COVID-19 MAY 14, 2020 1 Todays Speakers Moderator Joe

Quantifying Project Impacts from COVID-19 MAY 14, 2020 1 Todays Speakers Moderator Joe Hogan, Vice President AGC NYS Panelists Charles F. Boland, P.E., Principal GREYHAWK Barrett Richards, CCC, CEP, PSP , Senior Managing

434 views • 29 slides
5/28/2020 Agenda & Panelists 1. Covid Trends Panelists: 2. New Jersey Donna Antenucci,

5/28/2020 Agenda & Panelists 1. Covid Trends Panelists: 2. New Jersey Donna Antenucci,

Coronavirus Updates for Virtua Health Affiliated Practices Webinar #13 5/28/2020 Agenda & Panelists 1. Covid Trends Panelists: 2. New Jersey Donna Antenucci, RN VP CIN, President LHN Reactivation Andrew Cohen, MD Medical Director

666 views • 34 slides
Updated 5/12/2020 Agenda & Panelists Panelists: Introductions Latest numbers Andrew

Updated 5/12/2020 Agenda & Panelists Panelists: Introductions Latest numbers Andrew

Coronavirus Updates for Virtua Health Affiliated Practices Webinar #12 Updated 5/12/2020 Agenda & Panelists Panelists: Introductions Latest numbers Andrew Cohen, MD Medical Director VPP, LHN Tarun Kapoor, MD President, VPP

398 views • 24 slides
for the Cloud April 2016 Austin Openstack Summit Panelists & Presenters Panelists &

for the Cloud April 2016 Austin Openstack Summit Panelists & Presenters Panelists &

Panel Discussion: Performance Measuring Tools for the Cloud April 2016 Austin Openstack Summit Panelists & Presenters Panelists & Presenters Douglas Shakshober Das Kamhout XiaoFei Wang Nicholas Wakou Yuting Wu Red Hat Intel

408 views • 27 slides
IBMSFQCCAA Health Care Panel 10 November 2017 Moderator : Sy Schulman Panelists : Dave Johnson

IBMSFQCCAA Health Care Panel 10 November 2017 Moderator : Sy Schulman Panelists : Dave Johnson

IBMSFQCCAA Health Care Panel 10 November 2017 Moderator : Sy Schulman Panelists : Dave Johnson Gregg Cesario Hal Jurist Linda Sheiner John Ryan Audience comments and Questions Sy Schulman Florida Blue Medicare Supplement Plan F

86 views • 8 slides
Zoom Webinar Controls Enter your questions for Select Panelists and panelists in the Q&A

Zoom Webinar Controls Enter your questions for Select Panelists and panelists in the Q&A

Zoom Webinar Controls Enter your questions for Select Panelists and panelists in the Q&A pod. Attendees to say hi! Todays Format Benefits of Mindfvlness Strategies to Foster Mindfvlness Q&A Welcome Spencer G. Niles Dean

722 views • 30 slides
Mechanisms underlying feature selectivity in primary sensory cortices Thomas Bessah In other

Mechanisms underlying feature selectivity in primary sensory cortices Thomas Bessah In other

Mechanisms underlying feature selectivity in primary sensory cortices Thomas Bessah In other to get access to the speakers comments, click on: Comments\show comments list Kaniza Triangle 0 o A 90 o L 90 o R A L A R pulvinar pretectum

662 views • 55 slides
a Post-Covid Era Chair: Tomos Joyce, Project Officer Todays Speakers Ross Phillips Tomos

a Post-Covid Era Chair: Tomos Joyce, Project Officer Todays Speakers Ross Phillips Tomos

Parks and Open Spaces: Keeping our Air Clean in a Post-Covid Era Chair: Tomos Joyce, Project Officer Todays Speakers Ross Phillips Tomos Joyce Rachael Aldridge Jacqueline Bleicher Fiona Coull Tony Leach Susannah Wilks Project

798 views • 47 slides
WELCOME Committee Findings Meeting October 30, 2018 FEEDBACK RECAP You Have Heard From: 965

WELCOME Committee Findings Meeting October 30, 2018 FEEDBACK RECAP You Have Heard From: 965

WELCOME Committee Findings Meeting October 30, 2018 FEEDBACK RECAP You Have Heard From: 965 Zone Talk Comments Speakers at Two Public Forums Neighbors & Friends People on Social Media You Have: Debated Each Other Made

585 views • 29 slides
September 6, 2012 ibm.com/responsibility Certain comments made in this presentation may be

September 6, 2012 ibm.com/responsibility Certain comments made in this presentation may be

IBM Corporate Citizenship & Corporate Affairs IBM 2012 Corporate Responsibility Financial Analysts Webcast September 6 , 2012 September 6, 2012 ibm.com/responsibility Certain comments made in this presentation may be characterized as

273 views • 13 slides
Speakers Bureau Architectural Presentation Questionnaire 1. Speakers name: 2. Speakers

Speakers Bureau Architectural Presentation Questionnaire 1. Speakers name: 2. Speakers

AIA Michigan/Michigan Architectural Foundation Speakers Bureau Architectural Presentation Questionnaire 1. Speakers name: 2. Speakers professional designation: 3. Speakers AIAMI Chapter: 4. Speakers architectural practice name:

66 views • 3 slides

More recommend