[Case Study] DDoS Attack on DNS using infected IoT Devices @ ACSAC 2015 (The 31st Annual Computer Security Applications Conference 2015), which is one of the most important cyber security conferences in the world and the oldest information security conference held annually

1. SANE(Security Analysis aNd Evaluation) Lab.
Ki-Taek LEE*, Seungsoo BAEK, Seungjoo KIM**
zizihacker@korea.ac.kr, baek.seungsoo@gmail.com, skim71@korea.ac.kr
CIST (Center for Information Security Technologies), Korea University
*1st Author, **Corresponding Author
Case Study :
DDoS Attack on DNS
using infected IoT Devices
ACSAC 2015

2. 2
Acknowledgement
This research was supported by the MSIP(Ministry of Science, ICT and
Future Planning), Korea, under the ITRC(Information Technology
Research Center) support program (IITP-2015-R0992-15-1006)
supervised by the IITP(Institute for Information & communications
Technology Promotion)

3. 3
Internet down after cyberattack
29 November, 2014
15,000,000 packets per second
SK Broadband, one of the largest providers of broadband Internet access in
Korea, was attacked by the Distributed Denial-of-Service (DDoS) over the
weekend, disconnecting its Internet services for about an hour.
DDoS is a kind of cyberattack in which multiple compromised systems are
used to target a single network or a machine and make it unavailable to
users.
On Saturday at 10:55 a.m., the traffic on SK Broadband’s DNS server soared
up to 15 million packets per second (PPS), from its usual average of about 1
million PPS. PPS refers to the number of database transactions performed
per second.
SK Broadband users near Seocho and Dongjak distrcts in southern Seoul
were without Internet from 10:55 a.m. until 12:05 p.m. on Saturday.
[1] Internet down after cyberattack (JOONGANG DAILY, Dec 2014)

4. 4
Internet down after cyberattack
169,640 182,589
9,136,090
# DNS Request Queries /1 Minute
more 50 times traffic incoming for DDoS attack
Time
DNS Request queries
Nov 29th, 2014
Avg. queries

5. 5
How to detect DDoS attack
• Our own <Near-Real Time DNS Query Analyzing System for Detecting
DDoS Attacks>

6. 6
How to detect DDoS attack
• Our own <Near-Real Time DNS Query Analyzing System for Detecting
DDoS Attacks>
[2] Study on the near-real time DNS query analyzing system for DNS amplification attacks, KIISC (2015)

7. 7
Zombie PCs? Zombie Devices!
• We analyzed the IP addresses of packets and found out
the cause of attack.
• The attack came from IoT devices such as home routers,
network switches, network-connected CCTVs and
STBs(SetTop Box) of IPTV, not computers which are
generally used for DDoS attack.

8. 8
Benefits of IoT device for DDoS
Why do attacker want to use IoT device for DDoS attack?
Any TIME
communication
Any THING
communication
Any PLACE
communication
• on the move
• night
• daytime
• outdoor
• indoor (away from the computer)
• at the computer
• between computers
• human to human, not using a computer
• human to thing, using generic equipment
• thing to thing
[3] The new dimension introduced in the Internet of things - Recommendation ITU-T Y.2060 (06/2012)

9. 9
Top 10 IoT Vulnerabilities (2014)
A list of the top 10 internet of things vulnerabilities
[4] OWASP Internet of Things Project (https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project)
Rank Title
I1 Insecure Web Interface
I2 Insufficient Authentication/Authorization
I3 Insecure Network Services
I4 Lack of Transport Encryption
I5 Privacy Concerns
I6 Insecure Cloud Interface
I7 Insecure Mobile Interface
I8 Insufficient Security Configurability
I9 Insecure Software/Firmware
I10 Poor Physical Security

10. 10
Case 1. Home router
• Tracing source IP addresses of DDoS and identifying the devices

11. 11
Case 1. Home router
• Connecting to admin pages of home router

12. 12
Case 1. Home router
• Connecting to telnet for analysis
• Some weird processes are running.

13. 13
Case 1. Home router
• Download firmware from the home router
• Reverse engineer the firmware
- Use busybox to download malware
- 192.3.205.154 is used as C&C and distribution server
- 217.71.50.13 is used as distribution server

14. 14
Case 1. Home router
• It would spread by finding new devices using a random scan of IP
address.
TCP <target> <port (0 for random)> <time> <netmask (32 for non spoofed)> <flags
(syn, ack, psh, rst, fin, all) comma seperated> (packet size, usually 0) (time poll interval,
default 10)

15. 15
Case 1. Home router
• Get malwares from the distribution server and bin.sh
Name Size
arm 98KB
arm.i64 1,105KB
i586 77KB
i586.i64 985KB
i686 79KB
mips 122KB
mipsel 125KB
ppc 92KB
sparc 105KB
superh 60KB

16. 16
Case 2. Network Switch
• Similar to “Case 1”, but something is different

17. 17
Case 2. Network Switch

18. 18
Case 2. Network Switch
• Malicious commands

19. 19
Case 2. Network Switch
• Source code
[5] Lightaidra, https://github.com/eurialo/lightaidra

20. 20
Case 2. Network Switch
Basic group Aidra group
File list arm, mips, mipsel, ppc,s,sh
mips_aidra, superh_aidra, arm_aidra, mipsel
_aidra
C&C or
distribution
Server IP
automation.whatismyip.com
(72.233.89.199)
IRC connect
76.73.104.50:6667
76.73.103.60:6667
76.73.104.243:6667
205.188.14.92:6667
Command list
Access Commands (login/logout)
Miscs Commands (run/check)
Scan Commands (scan)
DDoS Commands
.spoof <IP> : ip spoofing attack
.synflood , .nssynflood
.ackflood, .nsackflood
Attack Command
.synflood
.*flood->[m,a,p,s,x]
<example>
.nssynflood->s <host> <port> <secs>
* : syn, nssyn, ack, nsack
a=arm / p=ppc /
s=superh / x=x86

21. 21
Case 2. Network Switch
Basic group Aidra group
configure spoof (ip spoofing)
advscan (after scan on B Class, check id/pass or access telnet to infect to device )
Attack
running
Version check
Run attack script include update malware)
/var/run/getbinaries.sh mips_aidra
superh_aidra
arm_aidra
ppc_aidra
</var/run/getbinaries.sh >
76.73.104.50
46.40.191.171
<OOO_aidra>
217.23.10.250

22. 22
Case 3. CCTV
• Trace source IP address of DDoS attack and find out a management
page of CCTV

23. 23
Case 3. CCTV
• Malwares on CCTV
- password is changed
- update with infected firmware (get root permission)
• rtsp://<CCTV IP>/trackID=1&basic_auth=base64([id:pw])
- root / (empty)
- root / root
- root / admin
- admin / admin
- admin / 1234
- admin / 12345
- admin / smcadmin
- admin / (empty)

24. 24
Case 3. CCTV
• Scanning 120,000,000 IP over the internet with the tool and found
23,507 CCTV IP
• Vulnerable CCTVs are 9,063 among them
• Default id, password are commonly used

25. 25
A mount of infected device
• Approximately 2,000,000,000 of IP
Home router,
1,151,940
Network Switch,
19,754
CCTV, 23,507
STB, 2
others, 4,349
(0.36%)
(96.03%)
(1.65%)
(1.95%)
(0.00%)

26. 26
Infection flow of IoT
Attacker or
infected IoT device
IoT device
(Victim)
① IP range scan
② access to victim’s IP through telnet or web
③ attack with default (ID, password) or remote command execution
④ upload malicious code
① delete temp files and directories
② kill main services(telnet, main daemon and…)
③ download & overwrite infected busybox from C&C server
④ delete the downloaded file at ③
⑤ overwrite infected busybox to main daemon
⑥ delete the infected busybox at ⑤
⑦ execute main deamon
⑧ block and kill telnet, ssh using iptables for protecting itself
External
infection flow
Internal
infection flow

27. 27
Conclusion
• The Internet of Things(IoT) is beginning to grow significantly.
• IoT devices have many vulnerabilities.
• All devices can be zombie devices.
• We need more active defenses.

28. 28
Future works
• Automatic vulnerabilities scanner for IoT

29. 29
Future works
• Automatic vulnerabilities scanner for IoT

30. 30
Future works
• Automatic vulnerabilities scanner for IoT

31. 31
E-Mail : zizihacker@korea.ac.kr, zizihacker@gmail.com
Thanks for your attention.
Questions ?