Hacking Book | Free Online Hacking Learning


interpretation of ndss 2019 issues: removing mirai botnet from the perspective of operators

Posted by patinella at 2020-03-29

Original title: cleaning up the Internet of even things: real world evidence on ISP and consumer effects to remove Mirai

Original author: orc, UN C, etin, Carlos GA, n'an, Lisette Altena, Takahiro Kasama, Daisuke Inoue, Kazuki Tamiya, Ying tie, katsunari Yoshioka, and Michel van eeten

Topic details: https://www.ndss-symphony.org/ndss-paper/cleaning-up-the-internet-of-evil-things-real-world-identity-on-isp-and-consumer-efforts-to-remove-mirai/

In this topic, researchers cooperate with operators to collect information about the infected Mirai devices from multiple data sources, and notify the owners of the infected devices in various ways to compare and analyze the disposal effect of users on the infected devices.

From the perspective of device type, the researchers divide the network segments of cooperative operators into three types according to their business. Among the devices that can be identified, the camera and router account for the highest proportion of the devices in the commercial network segment, and the NAS account for a large proportion of the devices in the domestic network segment.

It is worth mentioning that the method for researchers to collect data is to deploy traffic collection equipment in the idle IP segment owned by operators but not yet put into use to monitor the traffic of the whole idle network segment. The data adopted in this topic includes the traffic from 15 countries and 40 network segments covering about 300000 idle IP addresses. Researchers call it observations from Darknet. From here, we can see that the general dark network is slightly different from our usual cognition, but the main point is the same: the traffic accessing the dark network must be problematic.

Fig. 5 Dark net

After obtaining the observation data, the researchers cooperated with two European operators to conduct the pilot of Botnet mitigation measures. They selected 220 users from the IP addresses of the infected devices that were located in the operator's network, and notified the users of the following ways to repair the vulnerability:

a. Email alert.

b. Standard walled garden. Users can only access the operator's predefined white list websites, including windows update, anti-virus software home page, online banking and the elderly network community.

c. Improved walled garden. Based on the network white list, when the user access is blocked, the infection device repair suggestions provided by the researchers are additionally displayed.

Figure 6 timeline of the study

From the perspective of user experience, only half of the users in the e-mail experimental group received the e-mail, and 7.5% actively contacted the operator's customer service to inquire about the situation. In contrast, 47% of the people who were "disconnected" from the white list actively contacted customer service, and 60% were able to actively check the problem and take corresponding measures.

Figure 8 user feedback count under different disposal modes

In the process of the experiment, the experimenter also took measures to eliminate the interference, such as comparing the survival rate of infected equipment of different operators and network uses. For more detailed statistics and other conclusions of the researcher, we can refer to the Research Report of the same name of this topic.

This experiment not only achieved remarkable results, but also put forward higher requirements for the service quality of operators. Security is a game, but also a balance. Each solution has different choices, but in the era of rampant black and gray production, DDoS attacks and worms are related to network quality, which is also a big problem that operators need to face. On the road of network security, green alliance will go with you.

Content editor: Zhang Haoran, Gewu laboratory; responsible editor: Xiao Qing

Past review

Istio Series III: mixer, pilot component analysis practice

On the laws and regulations of data security and privacy protection

Graph embedding and dynamic graph anomaly detection

[recruitment] recruitment announcement of interns of Lvmeng science and Technology Innovation Center (long term effective)

The original article of the official account only represents the author's viewpoint and does not represent the position of the Green League. All original content copyright belongs to green alliance technology research communication. Without authorization, no media, WeChat official account is allowed to be copied, reproduced, excerpts or otherwise used. The reprint should be marked from the Green Alliance Technology Research Newsletter and attached to the link.

About us

Lvmeng technology research communication is operated by Lvmeng technology innovation center, which is the leading technology research department of Lvmeng technology. It includes Cloud Security Lab, security big data analysis lab and Internet of things Security Lab. The team members are composed of doctors and masters from Tsinghua University, Peking University, Harbin Institute of technology, Chinese Academy of Sciences, Beijing post and other key universities.

As one of the important training units of "post doctoral workstation sub station of Haidian Park of Zhongguancun Science and Technology Park", Lvmeng science and technology innovation center has carried out post doctoral joint training with Tsinghua University. The scientific research achievements have covered all kinds of national projects, national patents, national standards, high-level academic papers, professional books, etc.

We continue to explore the cutting-edge academic direction in the field of information security, starting from practice, combining the company's resources and advanced technology, to achieve a concept level prototype system, and then deliver product line incubation products and create huge economic value.

Long press the QR code above to follow us