[A survey of DDoS attacking techniques and defence mechanisms in the IoT network](https://link.springer.com/article/10.1007/s11235-019-00599-z)

# [A survey of DDoS attacking techniques and defence mechanisms in the IoT network](https://link.springer.com/article/10.1007/s11235-019-00599-z) ###### tags: `paper` > Vishwakarma, R., Jain, A.K. A survey of DDoS attacking techniques and defence mechanisms in the IoT network. Telecommun Syst 73, 3–25 (2020). https://doi.org/10.1007/s11235-019-00599-z ## Overview * IoT = lot of things connected to the Internet * DDoS = makes a lot of computers send requests to the victim and makes its services unavailable * lot of things connected to the Internet = lot of (mini) computers that are able to send request = best malicious entities * More things connected to the Internet = more convenient life but also leads to more / larger scale of DDoS attackes * Thus we must find a way to mitigate the impact of DDoS attack ## IoT Network ![](https://www.researchgate.net/publication/322975901/figure/fig1/AS:591238382243840@1517973623111/IoT-Architecture-Layers-and-Components.png =70%x70%) > Figure 1. IoT network layered architecture. ([source](https://ieeexplore.ieee.org/abstract/document/9372295)) ### Layered architecture * **Perceptron layer** (Edge Device Layer, Sensing Layer) * Collecting data using several sensing devices like sensors, RFID readers, smart controllers, etc. * The data collected here must be in a standardized form for different protocols used in the network * **Network layer** * Data networking, which takes the responsibility of the communication between the application and the edge devices * The wireless medium is used to carry the collected data e.g. Bluetooth, WIFI, Zigbee, etc * **Data processing layer** (Not mentioned in this article) * Using data collected in the sensing layer and analysing it to make data-driven decisions * This layer saves the results from previous analysis to improve the user experience * This layer may share the result with other connected devices via the network layer * **Application layer** * Applications using IoT as a medium * Smart city, smart home, smart grid, etc. ### IoT vulnerabilities * Lack of sufficient authentication and authorization * Default feeble passwords * Weak password retrieval systems * Insecure protected credentials * Lack of granular access control * Unreliable user interfaces * Weak login credentials * Plain-text credentials * Weak password retrieval systems * Absence of transport encryption * Insecure network services * Susceptible networks services * Privacy issues * Unreliable interfaces * Weak authentication * Insufficient transport encryption * Insecure network services * Insufficient transport encryption/integrity verification * Lack of transport encryption * The inadequacy of the security configuration * Lack of granular permissions * Lack of encryption or password options * Poor physical security * USB ports * memory cards * Other peripheral/storage device ### Facts about modern days DDoS attack on IoT network * **More than 100% increase in the number of DDoS attacks** is observed in year 2017 from the previous year recorded data. * **86% of the total attacks** that have been launched in the year 2017 **are observed to be of multiple type’s**, which means composed of different types of variations possible in firing a DDoS attack, hence making it difficult to identify and mitigate. * This attack has now become as easy as performing a quick online search and as cheaper as **5 dollars per 300 s server down period**. * From the surveyed data in 2018, **Financial services, IT services/Cloud/SAAS and Telecom industry** are come out to be the most targeted industries. * (Some facts are not listed, please refer to the article.) ## Botnet * An IoT device turns into a **bot** when the malicious software (malware) is installed on it by attacker. Once an IoT device turned into a bot, it is under the controll of the "**Master Bot Controller**". * With repetition of such infection, millions of bot get created and form a network known as "**Botnet**". * The mode of communication used by Master Bot Controller could be **IRC (Internet Relay Chat) based**, **Peer-To Peer-based** and **HTTP based**. * IRC based botnets are having a client–server architecture with default channels for communication * HTTP based botnets use HTTP protocol that works on the bit level of the data being communicated, hence making it harder to track and detect. * (P2P based is not explained) * A traditional botnet differs slightly from the today’s IoT botnets in terms of their reach and scope * Traditional botnets are only able to compromise computer systems to the limited number * IoT botnets are much advanced in terms of targeting a larger number of IoT devices because these devices normally tend to remain on and connected to the internet for the much longer time (almost 24/7/365) * Once a botnet is formed, **every bot is instructed to send bogus packets to the targeted web server at the same time** making the targeted server system inaccessible (which is **DDoS attack**). ### Some famous botnets * **Mirai** * **A Linux based malware** * It is **responsible for the largest DDoS attack** recorded till now * Its **source code is openly available on the internet** and hence giving chances of other to improvise the code * It has 62–68 default pairs of usernames and passwords that are used for attempting to **brute force the login module** * **Wirex (Dubbed Wirex)** * Targeting **CDNs** and content providers * It had comprised **thousands of Android devices** running applications which seemed to be legitimate but actually were malware * Google has already removed hundreds of applications that contain malware from a number of devices * **Reaper** * Exploiting plentiful vulnerabilities present in the IoT devices * Several well-known **routers** of Cisco Linksys, Netgear, D-link, and internet connected surveillance cameras, have been victims of this botnet * **Torii** * Targeting most of today’s modern computers, smartphones, tablets with having architectures like x86(64-bit), x86, ARM, MIPS, etc. * Like Mirai, it looks for a telnet port for **breaking through weak credentials** * It is much sophisticated than other IoT malware due to **its capability to download the appropriate payload to infect others having common architectures** * **3ve 2018** * The most sophisticated digital **[ad fraud](https://zh.wikipedia.org/zh-tw/%E5%BB%A3%E5%91%8A%E6%AC%BA%E8%A9%90)** schemes that have recently been shut down * It has infected over **1.7 million PCs** to make fake clicks used to defraud online advertisers for years leading to business with a revenue of more than 10 million * It was different from other botnets as it was able to create its own botnet, creating fake versions for both websites as well as visitors, hiding its IP address using proxies, and hijacking Border Gateway Protocol (BGP) IP addresses and selling ad fraudulent ad inventories to advertisers to earn money ## Taxonomy of DDoS attacks ![](https://i.imgur.com/Lo7vYou.png) > Figure 2. Taxonomy of DDoS attacks. * 傳統的 DDoS 攻擊和 IoT botnet 發動的 DDoS 攻擊在方法上沒有太多區別，但 IoT botnet 的 DDoS 攻擊會較為複雜且多元，因為 IoT 裝置數量眾多，且有異質性 * 例如：傳統的 DDoS 攻擊，會因為攻擊者掌握的機器數量不夠多，在發送封包時必須偽造來源位址，以隱藏自己的身份。但在 IoT based 的 DDoS 攻擊中，因為攻擊者可以掌控的機器實在太多了，而且藉由分散各處的 IoT 裝置也不會透露攻擊者的來源，因此就可以省去偽造來源位址的動作。 * 例如：不同的 IoT 裝置可能支援不同的通訊協定，當攻擊者同時擁有這些支持不同通訊協定的大量裝置時，可以同時利用他們發出不同類型的 DDoS 攻擊。 * 根據利用的漏洞在 IoT 階層化架構的位置，可以將攻擊種類分成 Fig. 2 中的這些類別 * SYN flooding 是最常見的攻擊方式 * Linux 主機被利用的比率遠大於其他作業系統 ### Application layer attacks * 利用應用層服務的運作機制達到的攻擊手段 * Application layer attacks try to invade application layer of IoT network infrastructure where the packets are dropped at the rate of request per second due to flooding of application or web server. * **They are harder to detect**, since they tend to generate the traffic **at a lower rate** and the request generated **seems to be legitimate**. * **HTTP flood attack** * HTTP GET flood: The bots send many HTTP GET requests to the victim server to request for images, files or other assets. The attacking request exhausts the server resource and thus the legitimate requests are dropped. * HTTP POST flood: The bots send many HTTP POST request to the victim server. To handle these requests, the victim server usually need to perform intensive computation such as database lookup. Once the server's capacity is saturated, the denial-of-service occurs. * [Learn more here](https://www.cloudflare.com/zh-tw/learning/ddos/http-flood-ddos-attack/) * [**Domain name server (DNS) amplification attack**](https://link.springer.com/chapter/10.1007/978-3-540-89173-4_16) * The bots put fake source address (the victim's address) in the DNS query request. * The bots send this request with spoofed address to DNS server. * The DNS server sends response to the victim. * **Since DNS response body is usually much larger than DNS query, attacker can cause severe congestion with few queries** * Potentially, the adversary could consume the entire bandwidth of a T1 line by generating a few thousand responses. * [Learn more here](https://www.cloudflare.com/zh-tw/learning/ddos/dns-amplification-ddos-attack/) * **Network time protocol (NTP) amplification attack** * Similar to DNS amplification attack, but use NTP service instead of DNS service to amplify response size. * In old version NTP server, the `monlist` command is enalbed by default. With this command enabled, the server can response the list of last 600 connected hosts to the server which is used to determine the actual time in UTC, which is much larger than the corresponding query request. * The bots send multiple requests with spoofed source address to the NTP server, and the NTP server amplify and reflect the response to the victim server. * [Learn more here](https://www.cloudflare.com/zh-tw/learning/ddos/ntp-amplification-ddos-attack/) * [Case study](https://www.cc.ntu.edu.tw/chinese/epaper/0045/20180620_4509.html) ### Infrastructure layer attacks - Protocol-based attacks * 利用特定協定的機制才有辦法達成的攻擊手段 * Protocol-based attacks (or Resource Depletion attacks) are responsible for consuming the actual server resources along with intermediate communication equipments like firewalls, load balancers, etc. * **ACK and SYN flood attack** ![](https://i.imgur.com/swEDpV3.png =85%x85%) > Figure 3. Distribution of different types of DDoS attacks in 2020 Q1. * ACK flood attack takes place during the [TCP three-way handshaking](https://afteracademy.com/blog/what-is-a-tcp-3-way-handshake-process) process for establishing the connection between the attacker and the target device. * The bots try to establish TCP connections with the victim server. In the TCP three-ways handshake, the bots send SYN request but don't response with ACK request after they receive SYN-ACK response from the server, and leave the connections half-open. Once available ports of server are ran out, the denial-of-service occurs. * [This is the most common IoT DDoS attacks](https://securelist.com/ddos-attacks-in-q1-2020/96837/) (refer to Fig. 3), since SYN-flooding from millions of devices are difficult to mitigate. * [Learn more here](https://www.cloudflare.com/zh-tw/learning/ddos/syn-flood-ddos-attack/) * **Ping of Death** * ==(The article said that POD attack is one of the **UDP fragment attacks**, but this doesn't seem to be true.)== * The bots send multiple malformed ping requests to the victim server. The requests are large enough to be fragmented, but is impossible to be reassembled. * Some machine cannot handle this kind of packets, and the malicious ping requests eventually cuases buffer overflow or some other errors on the victim machine, leading to denial of service. * [Learn more here](https://www.cloudflare.com/zh-tw/learning/ddos/ping-of-death-ddos-attack/) ### Infrastructure layer attacks - Volume-based attacks * 不放大、不反射，直接以暴力流量塞爆受害伺服器的攻擊手段 * Volumetric attacks (or Bandwidth Depletion attacks) saturate the bandwidth of the target system by generating excessive traffic in bits per second (Bps) * These are simplest to employ as they <span style="color: red; font-weight: bold">don't</span> use amplification and reflection techniques to launch the attack.（==原文說他們會利用放大和反射，應該是寫錯了==） * It has been studied that up to 65% of attacks are only volume-based attacks. * **UDP flood attack** * The bots send bogus UDP packets to victim server to ask for service that doesn't exist. * The victim server is forced to check for each port to see whether there is an available service. Once it found that the service is unavailable, the server has to send ICMP destination unreachable packet back. * If there are too many bogus UDP packets, the whole process will overwhelm the victim server, and the denial of service occurs. * [Learn more here](https://www.cloudflare.com/zh-tw/learning/ddos/udp-flood-ddos-attack/) * **ICMP flood attack** * ==(The article said this attack is also know as *smurf attack*, but the described content seems more like **ping flood attack**.)== * When a machine receives a ping request, this machine need to response an ICMP echo reply back to the sending device. * A lot of bots send a huge amount of ping requests to the victim server simultaneously, exhausting the resource of victim server and causing the denial of service. * [Learn more here](https://www.cloudflare.com/zh-tw/learning/ddos/ping-icmp-flood-ddos-attack/) ### Zero-day DDoS attacks * Unknown or new DDoS attacks which exploit the vulnerabilities present in the system. * Since we don't understand the attacking mechanism of this kind of attacks, they are difficult to defense and mitigate. ## Taxonomy of DDoS defense mechanisms ![](https://i.imgur.com/fnefaAt.png) * Traditional DDoS defenses are applied on the target server and the conventional (basically homogeneous) systems. They can be further categorized into **mitigation-based defense mechanisms** and **detection-based defense mechanisms**. * IoT-specific defenses are applied to the IoT devices that are vulnerable to several IoT threats. They can be further categorized into **malware detection defense mechanisms** and **prevention-based defense mechanisms**. ### Traditional defense mechanisms - Detection-based defenses * Traditional detection-based defense is focused towards detecting **abnormal activity** either on the host or in the network. * **Host-based** defense mechanism detects **the presence of malicious software** responsible for converting the host into a compromised host. * **Network-based** defense mechanism detects **unusual network traffic** that leads to flooding in the network. #### Network-based detection * [**Learning automata based DDoS defense**](https://ieeexplore.ieee.org/abstract/document/6142307) * Please refer to the original paper if interested. * [**Software defined networking based defense**](https://ieeexplore.ieee.org/abstract/document/7944950) * Please refer to [this note](https://hackmd.io/@kaeteyaruyo/B1BI-_E7o). #### Host-based detection * [**Honeypots based DDoS defense**](https://ieeexplore.ieee.org/abstract/document/7944057) * Please refer to the original paper if interested. ### Traditional defense mechanisms - Mitigation-based defenses * Mitigation-based defense intends to **reduce the effect of flooding** of the network. * [**Risk transfer mechanism-based defense**](https://ieeexplore.ieee.org/abstract/document/8355541) * Please refer to the original paper if interested. * [**Blockchain based DDoS defense**](https://dl.acm.org/doi/abs/10.1145/3211933.3211946) * Please refer to the original paper if interested. ### IoT-Specific defense mechanisms - Malware detection defenses * IoT specific defense is focused towards detecting **the intrusion by a malware** which can result into formation of IoT botnets. * **Machine learning detection based DDoS defense models** * [Image training to detect IoT malware botnets](https://ieeexplore.ieee.org/abstract/document/8377943) * Please refer to [this note](https://hackmd.io/@kaeteyaruyo/HJSKeRkNi). * [An IoT middlebox with machine learning based detection](https://ieeexplore.ieee.org/abstract/document/8424629) * Please refer to the original paper if interested. * [Network based anomaly detection in IoT using deep learning](https://www.sciencedirect.com/science/article/abs/pii/S0167739X1732486X) * Please refer to the original paper if interested. ### IoT-Specific defense mechanisms - Prevention-based defenses * Prevention based defense is concerned towards **avoiding any malicious intrusion into the IoT device**. * [**IoT middleware based DDoS defense**](https://www.sciencedirect.com/science/article/pii/S1389128618301348) * Please refer to the original paper if interested. ### Some other DDoS defense approaches * [**Communication security in internet of thing: preventive measure and avoid DDoS attack over IoT network**](https://dl.acm.org/doi/abs/10.5555/2872550.2872552) * Please refer to the original paper if interested. * [**An Approach to Secure Internet of Things Against DDoS**](https://link.springer.com/chapter/10.1007/978-981-10-0135-2_36) * Please refer to the original paper if interested. * [**DDoS-Capable IoT Malwares: Comparative Analysis and Mirai Investigation**](https://www.hindawi.com/journals/scn/2018/7178164/) * Please refer to the original paper if interested. * [**A DDoS attack mitigation framework for internet of things**](https://ieeexplore.ieee.org/abstract/document/8286761) * Please refer to the original paper if interested. ## Comparative analysis of existing mechanisms Please refer to the Table 3, Table 4 and Table 5 in the article. ## Open research issues and challenges * **The realization of real-time scenarios of an IoT environment** * 現行許多研究提出的方法都忽略了 IoT 環境的即時性 * 設計方法時應儘可能考慮到 IoT 裝置的限制與脆弱性，以設計出能因應各式情境的方法 * **Dependency on network conditions and other user parameters** * 防禦方法應該要最小限度的依賴於網路品質或網路使用者的使用方式與使用狀況 (user parameters) * **Quantity and quality of datasets used** * 基於 ML 的方法們，其方法的可靠度與效能往往重度依賴於訓練資料集 * 因此，確保 DDoS 攻擊相關資料集的大小與品質，對於發展這些方法來說就顯得格外重要 * **Lack of standardization in IoT framework** * 現今還沒有一種定義如何組織與操作 IoT 系統的標準架構，是可供所有 IoT 開發商參考的 * 若要深入理解現行 IoT 裝置的脆弱性，並且定義一個可靠的評估防禦方法效能的標準，制定一個 IoT 系統的通用架構是勢在必行的 * **Protocol-based detection for anomalies** * 本篇論文提及的這些防禦方法，大多數都只能處理利用某種特定通訊協定發起的 DDoS 攻擊 * 因為依賴於特定協定的運作機制，因此這些方法就缺少了應付其他種類攻擊的彈性 * ==（但說實話我不認為這是一個問題？就像咳嗽就吃咳嗽藥頭痛就吃頭痛藥一樣，只要可以有效緩解問題就是個好方法不是嗎？）== * **Ability to detect and mitigate unknown attacks in IoT** * 現行的方法能不能對付 Zero-day attacks 大多都還是未知數，因為我們無法預測這類攻擊會以什麼形式產生與造成危害，也缺少這類攻擊的訓練資料（沒發生的事哪來資料） * 未來的方法也應該著眼於針對未知攻擊的適用性，使防禦方法可以具有更高的防禦性與彈性 * **Cost effectivity with assurance on QoS** * 當防禦方法要被應用在 IoT 裝置上時，套用方法的成本就變成了一個重要的議題。畢竟一個方法再怎麼有用，若是套用到 IoT 裝置時會大幅增加成本，那也不會有人買單，也就毫無用武之地 * 在控制成本的同時，也不能影響到產品的 QoS * **Complete protection** * 預防重於治療，一個好的防禦方法不應該只是個在攻擊來襲的時候才能應用並緩解攻擊的手段，而是應該要能夠最小化系統被侵襲的機率 * 有些方法在系統遭受攻擊時會先檢測此攻擊的嚴重性，再依此決定要應用什麼防禦方法 * 也有一些方法將 DDoS 攻擊分成 low rate 和 high rate 兩種類別（指攻擊發生時封包到來的速率），並分別應用不同的防禦方法 ## Conclusion 總結此篇論文，略。