Detecting IoT Devices in the Internet

Distributed Denial-of-Service (DDoS) attacks launched from compromised Internet-of-Things (IoT) devices have shown how vulnerable the Internet is to large-scale DDoS attacks. To understand the risks of these attacks requires learning about these IoT devices: where are they? how many are there? how are they changing? This paper describes three new methods to find IoT devices on the Internet: server IP addresses in traffic, server names in DNS queries, and manufacturer information in TLS certificates. Our primary methods (IP addresses and DNS names) use knowledge of servers run by the manufacturers of these devices. Our third method uses TLS certificates obtained by active scanning. We have applied our algorithms to a number of observations. With our IP-based algorithm, we report detections from a university campus over 4 months and from traffic transiting an IXP over 10 days. We apply our DNS-based algorithm to traffic from 8 root DNS servers from 2013 to 2018 to study AS-level IoT deployment. We find substantial growth (about $3.5\times $ ) in AS penetration for 23 types of IoT devices and modest increase in device type density for ASes detected with these device types (at most 2 device types in 80% of these ASes in 2018). DNS also shows substantial growth in IoT deployment in residential households from 2013 to 2017. Our certificate-based algorithm finds 254k IP cameras and network video recorders from 199 countries around the world.

[1]  Bruce M. Maggs,et al.  Measuring and Applying Invalid SSL Certificates: The Silent Majority , 2016, Internet Measurement Conference.

[2]  Информатика Public Suffix List , 2010 .

[3]  Yuval Elovici,et al.  Detection of Unauthorized IoT Devices Using Machine Learning Techniques , 2017, ArXiv.

[4]  Paul Francis,et al.  The IP Network Address Translator (NAT) , 1994, RFC.

[5]  J. Alex Halderman,et al.  A Search Engine Backed by Internet-Wide Scanning , 2015, CCS.

[6]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[7]  Nils Ole Tippenhauer,et al.  IoTScanner: Detecting Privacy Threats in IoT Neighborhoods , 2017, IoTPTS@AsiaCCS.

[8]  Giovane C. M. Moura,et al.  Recursives in the wild: engineering authoritative DNS servers , 2017, Internet Measurement Conference.

[9]  Chadi Assi,et al.  Inferring, Characterizing, and Investigating Internet-Scale Malicious IoT Device Activities: A Network Telescope Perspective , 2018, 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[10]  Yuval Elovici,et al.  ProfilIoT: a machine learning approach for IoT device identification based on network traffic analysis , 2017, SAC.

[11]  John S. Heidemann,et al.  IP-Based IoT Device Detection , 2018, IoT S&P@SIGCOMM.

[12]  Vijay Sivaraman,et al.  Characterizing and classifying IoT traffic in smart cities and campuses , 2017, 2017 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[13]  Dave Levin,et al.  Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet , 2019, NDSS.

[14]  Nick Feamster,et al.  IoT Inspector: Crowdsourcing Labeled Network Traffic from Smart Home Devices at Scale , 2019, ArXiv.

[15]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[16]  J. Heidemann,et al.  Detecting IoT Devices in the Internet ( Extended ) , 2018 .

[17]  Andrew G. Malis,et al.  A Framework for IP Based Virtual Private Networks , 2000, RFC.

[18]  Robin Berthier,et al.  An Internet-wide view of ICS devices , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[19]  D. Verma,et al.  Unearthing and Exploiting Latent Semantics behind DNS Domains for Deep Network Traffic Analysis , 2019 .