Understanding the Ecosystem of IoT DDoS services · and provide monitoring of IoT DDoS services....

Understanding the Ecosystem ofIoT DDoS servicesDamon McCoy| New York University

Oct. 24th, 2019

Team Profile MINIONS - MitigatINg IOt-based DDoS attacks via DNS NYU Ph.D. Students Rasika Bhalerao and Maxwell

Aliapoulios Dutch Collaborators: Michel van Eeten, Carlos Ganan,

Arman Noroozian, Elsa Turcios Rodriguez

Customer Need We lack tools to understand the structure, economics,

and provide monitoring of IoT DDoS services. Useful to discover more efficient points for undermining. Potential costumers: Law enforcement and private

security companies. No understanding of the structure and economics of IoT

DDoS services and monitoring is ad-hoc

Approach (Part 1) Automated techniques to discover DDoS services

advertising on underground forums Create trained natural language processing models to

detect underground forum posts selling and buying DDoS services

Requires a manually labeled corpus of posts selling and buying DDoS services and set of text features adapted to this problem.

Approach (Continued, Part 2) Automated methods to detect replies indicating that a

member has purchased the product sold in a thread. Create a supervised natural language processing model

to detect buy replies. Requires a manually labeled corpus of buying replies

and text features adapted to this problem.

Approach (Continued, Part 3) Method to detect DDoS related supply chains. Combination of prior approaches and graph algorithms.

Benefits Automated DDoS service discovery and supply chain

reconstruction that are often performed manually using ad-hoc keyword searches.

Benefit: Provides scalable solution that requires less manual effort and has improved recall.

Risk: Might need to be trained for each forum.

Competition/Alternatives Many companies offer keyword based searching portals

that analysts and law enforcement use to discover DDoS services.

Prone to false positives and false negatives and requires domain knowledge to generate lists of keywords.

Expensive and skilled labor intensive.

Current Status (Part 1) Labeled data from two underground forums: Hack

Forum (EN), AntiChat (RU) Built models to detect 14 types of products including

DDoS services F1 scores range from 0.81-0.87 for the four models Executed it over the entire forum and identified DDoS

services sellers, buyers, and supply chains.

Current Status (Continued, Part 2) Published academic study at IEEE eCrime Symposium Mapping the Underground: Supervised Discovery of

Cybercrime Supply Chains, Rasika Bhalerao, Maxwell Aliapoulios, Ilia Shumailov, Sadia Afroz, Damon McCoy, IEEE eCrime 2019

Fulfils first NYU led Milestone

Current Status (Continued, Part 3) Releasing code, annotations, models, and other artifacts

required to reproduce results. TUDelft/NYU Collaboration on Economic study of Bullet

Proof Hosting which relates to infrastructure used by IoTDDoS Botnets

Published at USENIX Security 2019

Current Status (Continued, Part 4) Working on exploring economics and structure of IoT

DDoS services, and monitoring tools.

Transition/Completion Activities Flashpoint working on implementing parts of our code

into their production platform. Early access to results provided data sharing agreement.

Dutch Police amended their case based on our findings of Bulletproof Hoster.

Lessons Learned (Part 1) Many of the IoT DDoS services switch to using Telegram

instead of underground forums. Need tools to analyze Telegram chat data. Manual labeling should be on posts from the specific

forum and need to be updated every 2-3 months.

Lessons Learned (Continued, Part 2) Challenging to distinguish IoT from Virtual Private Server

based DDoS services. Weak connection to DNS since many of the IoT botnets

are not registering domains for their Command and Control servers.

Contact InfoPresenter Info Goes Here

Damon McCoyNew York Universitymccoy@nyu.edu