Logo PTI
Polish Information Processing Society
Logo FedCSIS

Annals of Computer Science and Information Systems, Volume 11

Proceedings of the 2017 Federated Conference on Computer Science and Information Systems

Analysis of DDoS-Capable IoT Malwares

, , ,

DOI: http://dx.doi.org/10.15439/2017F288

Citation: Proceedings of the 2017 Federated Conference on Computer Science and Information Systems, M. Ganzha, L. Maciaszek, M. Paprzycki (eds). ACSIS, Vol. 11, pages 807816 ()

Full text

Abstract. The Internet of Things (IoT) revolution promises to make our lives easier by providing cheap and always connected smart embedded devices, that can interact and exchange useful information in Internet, creating new values for human needs. But all that glitters is not gold. Indeed, the other side of the coin is that, from a security perspective, this IoT revolution represents a potential disaster. This plethora of IoT devices that flooded the market were very badly protected and were easy pray of several different families of malware, being turned to elements of very large botnets. This, eventually, brought back to the top Distributed Denial of Service (DDoS) attacks, making them more powerful and easier to achieve than ever. This paper aims at provide an up-to-date picture of the DDoS attack in the specific context of the IoT, studying how these attacks work, considering the most spread and effective malware families in the context IoT, in terms of their nature and evolution through the years. It also explores the additional offensive capabilities that the arsenal of recent IoT malware has available to mine the security of Internet users and systems. We think that this up-to-date picture will be a valuable reference to the scientific community in order to take a first crucial step to tackle this urgent security issue.


  1. A. Asosheh and N. Ramezani, “A comprehensive taxonomy of DDoS attacks and defense mechanism applying in a smart classification,” WSEAS Transactions on Computers, vol. 7, no. 4, pp. 281–290, 2008. [Online]. Available: https://goo.gl/K3lg7Z
  2. S. M. Specht and R. B. Lee, “Distributed Denial of Service: Taxonomies of attacks, tools, and countermeasures,” in ISCA PDCS, 2004, pp. 543–550. [Online]. Available: https://goo.gl/X4gpb7
  3. J. Mirkovic and P. Reiher, “A taxonomy of DDoS attack and DDoS defense mechanisms,” SIGCOMM Computer Communication Review, vol. 34, no. 2, pp. 39–53, April 2004. [Online]. Available: http://dx.doi.org/10.1145/997150.997156
  4. B. Gupta, R. C. Joshi, and M. Misra, “Defending against Distributed Denial of Service attacks: issues and challenges,” Information Security Journal: A Global Perspective, vol. 18, no. 5, pp. 224–247, 2009. [Online]. Available: http://dx.doi.org/10.1080/19393550903317070
  5. C. Douligeris and A. Mitrokotsa, “DDoS attacks and defense mechanisms: classification and state-of-the-art,” Computer Networks, vol. 44, no. 5, pp. 643–666, April 2004. [Online]. Available: http://dx.doi.org/10.1016/j.comnet.2003.10.003
  6. U. Tariq, M. Hong, and K.-s. Lhee, “A comprehensive categorization of DDoS attack and DDoS defense techniques,” in Advanced Data Mining and Applications: Second International Conference. Springer Berlin Heidelberg, 2006, pp. 1025–1036. [Online]. Available: http://dx.doi.org/10.1007/11811305_112
  7. A. Hussain, J. Heidemann, and C. Papadopoulos, “A framework for classifying Denial of Service attacks,” in Proceedings of the 2003 conference on applications, technologies, architectures, and protocols for computer communications, ser. SIGCOMM ’03. ACM, 2003, pp. 99–110. [Online]. Available: http://dx.doi.org/10.1145/863955.863968
  8. T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of network-based defense mechanisms countering the DoS and DDoS problems,” ACM Computing Surveys, vol. 39, no. 1, p. 3, April 2007. [Online]. Available: http://dx.doi.org/10.1145/1216370.1216373
  9. E. Alomari, S. Manickam, B. Gupta, S. Karuppayah, and R. Alfaris, “Botnet-based Distributed Denial of Service (DDoS) attacks on web servers: classification and art,” arXiv preprint https://arxiv.org/abs/1208.0403, 2012. [Online]. Available: http://dx.doi.org/10.5120/7640-0724
  10. S. Specht and R. Lee, “Taxonomies of Distributed Denial of Service networks, attacks, tools and countermeasures,” Princeton University Technical Report CE-L2003-03, 2003. [Online]. Available: https://goo.gl/xsZ3n0
  11. RioRey Inc. (2014) Taxonomy of DDoS Attacks. [Online]. Available: https://goo.gl/P2BDq4
  12. K. Kumar, R. C. Joshi, and K. Singh, “An integrated approach for defending against distributed denial-of-service (DDoS) attacks,” IRISS-2006, pp. 1–6, 2006. [Online]. Available: https://goo.gl/hVfBcr
  13. G. Singn and M. Gupta, “Distributed Denial-of-Service,” in 3rd International Conference on Recent Trends in Engineering Science and Management, April 2016, pp. 1131–1139. [Online]. Available: https://goo.gl/lOvs9Q
  14. M. De Donno, N. Dragoni, A. Giaretta, and A. Spognardi, “A Taxonomy of Distributed Denial of Service Attacks,” in Proceedings of the International Conference on Information Society (i-Society’17). IEEE, 2017.
  15. V. Paxson, “An analysis of using reflectors for Distributed Denial-of-Service attacks,” ACM SIGCOMM Computer Communication Review, vol. 31, no. 3, pp. 38–47, July 2001. [Online]. Available: http://dx.doi.org/10.1145/505659.505664
  16. S. Gibson, “DRDoS : Description and analysis of a potent, increasingly prevalent, and worrisome internet attack,” Gibson Research Corporation, 2002. [Online]. Available: https://goo.gl/zH26gj
  17. S. T. Zargar, J. Joshi, and D. Tipper, “A survey of defense mechanisms against Distributed Denial of Service (DDoS) flooding attacks,” IEEE Communications Surveys & Tutorials, vol. 15, no. 4, pp. 2046–2069, 2013. [Online]. Available: http://dx.doi.org/10.1109/SURV.2013.031413.00127
  18. K. J. Houle and G. M. Weaver, “Trends in Denial of Service attack technology,” CERT Coordination Center, Tech. Rep., 2001. [Online]. Available: https://goo.gl/Py3U0D
  19. X. Luo and R. K. C. Chang, “On a new class of Pulsing Denial-of-Service attacks and the defense,” in NDSS Symposium 2005, February 2005. [Online]. Available: https://goo.gl/hmkSSF
  20. K. Park and H. Lee, “On the effectiveness of route-based packet filtering for Distributed DoS attack prevention in power-law internets,” in Proceedings of the 2001 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, ser. SIGCOMM ’01. ACM, August 2001, pp. 15–26. [Online]. Available: http://dx.doi.org/10.1145/964723.383061
  21. J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang, “SAVE: Source Address Validity Enforcement protocol,” in INFOCOM 2002. Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE, vol. 3. IEEE, June 2002, pp. 1557–1566. [Online]. Available: http://dx.doi.org/10.1109/INFCOM.2002.1019407
  22. A. Chen, A. Sriraman, T. Vaidya, Y. Zhang, A. Haeberlen, B. T. Loo, L. T. X. Phan, M. Sherr, C. Shields, and W. Zhou, “Dispersing Asymmetric DDoS Attacks with SplitStack,” in Proceedings of the 15th ACM Workshop on Hot Topics in Networks, ser. HotNets ’16. New York, NY, USA: ACM, 2016, pp. 197–203.
  23. M. Janus, “Heads of the Hydra. Malware for Network Devices,” Securelist, 2011. [Online]. Available: https://securelist.com/analysis/publications/36396/heads-of-the-hydra-malware-for-network-devices/
  24. “Hydra irc bot, the 25 minute overview of the kit,” Insecurety Research, 2012. [Online]. Available: http://insecurety.net/?p=90
  25. “Warning - linux mint website hacked and isos replaced with backdoored operating system,” 2016. [Online]. Available: http://thehackernews.com/2016/02/linux-mint-hack.html
  26. “lightaidra 0x2012 (aidra),” Vierko.org, 2013. [Online]. Available: https://vierko.org/tech/lightaidra-0x2012/
  27. Akamai, “Spike ddos toolkit,” Akamai Technologies, Tech. Rep., 2014. [Online]. Available: https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/spike-ddos-toolkit-threat-advisory.pdf
  28. M. J. Bohio, “Analyzing a Backdoor/Bot for the MIPS Platform,” SANS Institute, Tech. Rep., 2015. [Online]. Available: https://www.sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902
  29. “MMD-0052-2016 - Overview of “SkidDDoS” ELF++ IRC Botnet,” MalwareMustDie! Blog, 2016. [Online]. Available: http://blog.malwaremustdie.org/2016/02/mmd-0052-2016-skidddos-elf-distribution.html
  30. “Linux/AES.DDoS: Router Malware Warning — Reversing an ARM arch ELF,” MalwareMustDie! Blog, 2014. [Online]. Available: http://blog.malwaremustdie.org/2014/09/reversing-arm-architecture-elf-elknot.html
  31. “Linux/XOR.DDoS : Fuzzy reversing a new China ELF,” MalwareMustDie! Blog, 2014. [Online]. Available: http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html
  32. Akamai, “Case Study: FastDNS Infrastructure battles Xor Botnet,” Akamai Technologies, Tech. Rep., 2015. [Online]. Available: https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/fast-dns-xor-botnet-case-study.pdf
  33. “Linux/luabot - iot botnet as service,” MalwareMustDie! Blog, 2016. [Online]. Available: http://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html
  34. NSFOCUS DDoS Defense Research Lab and Threat Response Center (TRC), “2016 q3 report on ddos situation and trends,” NSFOCUS, Tech. Rep., 2016. [Online]. Available: http://www.spectrami.com/wp-content/files-mf/1482155162NSFOCUSQ3DDoSThreatReportFINAL.PDF
  35. “Meet Remaiten – a Linux bot on steroids targeting routers and potentially other IoT devices,” WeLiveSecurity, 2016. [Online]. Available: https://www.welivesecurity.com/2016/03/30/meet-remaiten-a-linux-bot-on-steroids-targeting-routers-and-potentially-other-iot-devices/
  36. “MMD-0059-2016 - Linux/IRCTelnet (new Aidra) - A DDoS botnet aims IoT w/ IPv6 ready,” MalwareMustDie! Blog, 2016. [Online]. Available: http://blog.malwaremustdie.org/2016/10/mmd-0059-2016-linuxirctelnet-new-ddos.html
  37. K. Angrishi, “Turning Internet of Things (IoT) into Internet of Vulnerabilities (IoV): IoT Botnets,” arXiv preprint, February 2017. [Online]. Available: https://arxiv.org/abs/1702.03681
  38. O. Klaba, “OVH suffers 1.1 Tbps DDoS attack,” SC Magazine UK, September 2016. [Online]. Available: https://goo.gl/IUfDQI
  39. R. Millman, “KrebsOnSecurity hit with record DDoS,” KrebsonSecurity Blog, September 2016. [Online]. Available: https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
  40. K. York, “Dyn statement on 10/21/2016 DDoS attack,” Dyn Blog, October 2016. [Online]. Available: http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/
  41. S. Hilton, “Dyn analysis summary of friday october 21 attack,” Dyn Blog, October 2016. [Online]. Available: http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/
  42. S. Mansfield-Devine, “DDoS goes mainstream: how headline-grabbing attacks could make this threat an organisation’s biggest nightmare,” Network Security, vol. 2016, no. 11, pp. 7–13, November 2016.