290 likes | 296 Vues
Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet. by Stephen Herwig (UMD), Katura Harvey ( MPI ), George Hughey (UMD), Richard Roberts (MPI ), Dave Levin (UMD) Presented by Himanshu Gandhi (2015ANZ7550). What are botnets, by the way ?. What is a Botnet ?.
E N D
Measurement and Analysis of Hajime:a Peer-to-peer IoT Botnet by Stephen Herwig (UMD), KaturaHarvey (MPI), George Hughey (UMD), Richard Roberts (MPI), Dave Levin (UMD) Presented by Himanshu Gandhi (2015ANZ7550)
Important “Problems” for a Botnet Controller? Hajime uses BitTorrent based Distributed Hash Tables for both questions.
Bot Discovery announce hash(F) announce bot(F) announce hash(.i) Hosting file F lookup hash(F) lookup bot (F) lookup file (.i) Downloading file F
Lookup Hosting KeyExchange UTP Keys provide long-lived IDs Downloading
Thus: • Resilient BitTorrent Based Discovery • Difficult to take down Hajime without bringing down BT !! • P2P • Difficult to centrally monitor and control
Measurement Every 16 minutes for 4 months - 5.4M IP addresses - 10.5M keys Datasets available at http://iot.umd.edu • Botnet Size • List all peers exhaustively • Used unique keys to get botnet size • Why not IP • NAT undercounts • IP reassignments and multi-homed devices => overcount • Code RE • 47 modules – 34 .atk, 13 .i
Hajime Geo-Distribution MaxMind IP Geolocation DB used
Hajime Architectural Distribution • Based on .atk files usage • Censys Database (IP-uTP key used for device fingerprinting)
What’s New ? • Novel way of measuring and analyzing botnet • Insights about botnets’ ability to evolve • Honeypots need to be architecture specific
What’s more in the paper ? • More details on the botnet internals • Insights about device fingerprinting and bot lifetime • CWMP DNS backscatter based geographical distribution