We analyze the increasing threats against IoT devices. We show that Telnet-based attacks that target IoT devices have rocketed since 2014. Based on this observation, we propose an IoT honeypot and sandbox, which attracts and analyzes Telnet-based attacks against various IoT devices running on different CPU architectures such as ARM, MIPS, and PPC. By analyzing the observation results of our honeypot and captured malware samples, we show that there are currently at least 5 distinct DDoS malware families targeting Telnet-enabled IoT devices and one of the families has quickly evolved to target more devices with as many as 9 different CPU architectures.
This study proposes how to investigate the existence of misconfigurations of zone transfer in any level of domain name system hierarchy using search engine based approach without the need to look at the zone file. The analysis has been conducted on 1,284 authoritative name servers of 314 top-level domains and 46,416 authoritative name servers of second level domain of 249 country code top-level domains. In case of top-level domains investigation, 84 name servers authoritative to answer for 53 top-level domains are misconfigured and allow zone transfer to us. In case of second level domains investigation, 5,394 authoritative name servers authoritative to answer for 6,234 second-level domains allow zone transfer. In particular, we found a serious misconfiguration case where the misconfigured DNS server was authoritative for not only its TLD but also SLD and lower level, exposing 83 % the DNS related information of the country to the public.
As Domain Name System (DNS) provides flexibility and robustness in communications of hosts on Internet, not only legitimate users but also attackers often take advantages of it. If we know how attackers are managing their malicious domains with authoritative name servers, there is a possibility to detect not only malicious domains but also malicious authoritative name servers. In this study, we present a novel method for detecting malicious "domains" (noted as d) and malicious "authoritative name servers" (noted as ns-d) based on their distinct mappings to "IP addresses" (noted as IP). Namely, we present three features to detect them; 1) Single ns-d is mapped to many IP, 2) Single IP is mapped to many ns-d, and 3) Single IP is mapped to both ns-d and d. We evaluate proposed method in terms of accuracy and coverage in detection of malicious d and ns-d. The evaluation shows that our detection method can achieve significantly low false positive rate in detecting both malicious d and ns-d without relying on any previous knowledge, such as blacklists or whitelists.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.