Page 152 - CDM-CYBER-DEFENSE-eMAGAZINE-December-2018
P. 152
Why keep a botnet army to ourselves when we can charge others for the use of the botnet? This has
given rise to BaaS (Botnets-as-a-Service) and DaaS (DDoS-as-a-Service) where for a fraction of the cost
a bitcoin (as low as the equivalent of $50) anyone can launch a large-scale DDoS attacks anonymously.
Many of these attacking devices were IoT. The most obvious conclusion here is that the owners of these
devices were not aware that their devices had been infected and being controlled by a cybercriminal. The
longer these devices stay infected, the greater the opportunity to do more things depending on the
malware used. In some cases, the malware is self-updating. And worse, most users, even if they knew
their system was infected, would have no idea how to remove the malware it even possible.
But the question one must ask about recidivists is, are repeat offender IPs actually the same device?
How certain are we that the 9 percent of previous DDoS attackers now attempting exploits are in fact the
same systems?At first glance, one might wonder how they could not be the same, but most devices on
the internet are assigned dynamic IP addresses from a subnet for a period of time. A lease of an IP
address can range from a few minutes to several months (though typically seven days in the US for ISP
and cellphone customers) depending on the environment. Usually, the lease of an online device is
automatically renewed, thus letting it keep the same IP address. But what happens when a device is
turned off or disconnected from the network when its lease expires?
Every cell phone has a dynamic IP address assigned to it. If the phone is turned off or roaming on another
network (where it gets a new IP address anyway), the IP address gets assigned to another device on the
network. So, the IP address a Samsung phone had last week may now belong to a Google Pixel or even
an iPhone. When the WireX malware was injected into over 300 Google Play apps last year, it was not
uncommon for many Android phones within a given area for a given provider to participate in DDoS
attacks for several weeks if not months. But the IP address of any given phone could have changed
during that time, making it difficult to prove a single cell phone participated in multiple attacks. In some
countries, privacy laws prohibit the review of carrier logs as IP addresses tied to cell phones could identify
a given user over time.
So, what can be done to prove a given device participated in any given attack? Devices today are
identified by a “fingerprint,” code or script run on a device that can enumerate or show specific
characteristics about a device such as hardware type, OS type, and version, etc. In most cases
fingerprinting may not provide enough characteristics to uniquely identify a specific device or that unique
information is not retained for privacy purposes.
Research is being done to develop technologies for accurate identification of individual devices and still
maintain privacy. Some vendors are offering versions of these technologies now. Once these
technologies are widespread, the easier it will be to locate and definitively identify recidivists and their
attacks. Once we can do that, we can more accurately analyze and understand their attack patterns.
This could help identify the source of the malware infection as well as potential future targets. More
importantly, it could help providers develop remediations plans for customers, thus removing recidivist
devices from the botnet ecosystem and reduce malicious traffic overall.
Until such time, it is the responsibility of the device owner to review the behavior of their internet
connected devices to see if there has been any potential malicious activity. Unfortunately, most people
152
