1 / 29

Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet

This paper presents an in-depth analysis of Hajime, a peer-to-peer IoT botnet, exploring its structural variants, characteristics, and impact. The study focuses on the use of BitTorrent-based Distributed Hash Tables in bot discovery, hosting, and downloading activities of Hajime. Through extensive measurements over 4 months, the research provides insights into botnet size, geographical distribution, architectural patterns, vulnerabilities, and attack methods employed by Hajime. Additionally, the paper discusses novel approaches for botnet measurement and highlights the need for architecture-specific honeypots to effectively combat evolving botnets. For more details on Hajime's internals, device fingerprinting, and geographic distribution based on DNS backscatter, this paper offers valuable information for understanding and combating modern IoT botnets. Datasets from the study are available at http://iot.umd.edu.

wbranham
Download Presentation

Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Measurement and Analysis of Hajime:a Peer-to-peer IoT Botnet by Stephen Herwig (UMD), KaturaHarvey (MPI), George Hughey (UMD), Richard Roberts (MPI), Dave Levin (UMD) Presented by Himanshu Gandhi (2015ANZ7550)

  2. What are botnets, by the way ?

  3. What is a Botnet ?

  4. Structural Variants

  5. So, what is Hajime ?

  6. Characteristics of an “uncharacteristic” Botnet

  7. Hmmm, tell me more about Hajime !

  8. Important “Problems” for a Botnet Controller? Hajime uses BitTorrent based Distributed Hash Tables for both questions.

  9. Bot Discovery announce hash(F) announce bot(F) announce hash(.i) Hosting file F lookup hash(F) lookup bot (F) lookup file (.i) Downloading file F

  10. Announce

  11. Lookup Hosting KeyExchange UTP Keys provide long-lived IDs Downloading

  12. Thus: • Resilient BitTorrent Based Discovery • Difficult to take down Hajime without bringing down BT !! • P2P • Difficult to centrally monitor and control

  13. More about Measurement and Analysis

  14. Measurement Every 16 minutes for 4 months - 5.4M IP addresses - 10.5M keys Datasets available at http://iot.umd.edu • Botnet Size • List all peers exhaustively • Used unique keys to get botnet size • Why not IP • NAT undercounts • IP reassignments and multi-homed devices => overcount • Code RE • 47 modules – 34 .atk, 13 .i

  15. Hajime Size

  16. Hajime Geo-Distribution MaxMind IP Geolocation DB used

  17. Hajime Architectural Distribution • Based on .atk files usage • Censys Database (IP-uTP key used for device fingerprinting)

  18. Hajime Architectural + Geography Distribution

  19. Hajime Architectural + Geography Distribution

  20. Hajime Architectural + Geography Distribution

  21. Hajime – Impact of new Vulnerabilities

  22. Hajime – Speed of Updates

  23. Attacks and DNS Backscatter

  24. Vulnerable Device Attack (CWMP)

  25. Non-Vulnerable Device Attack

  26. Contribution

  27. What’s New ? • Novel way of measuring and analyzing botnet • Insights about botnets’ ability to evolve • Honeypots need to be architecture specific

  28. What’s more in the paper ? • More details on the botnet internals • Insights about device fingerprinting and bot lifetime • CWMP DNS backscatter based geographical distribution

  29. Thank You :)

More Related