IMPROVED MIRAI BOT SCANNER SUMMATION ALGORITHM

Authors: Faisal A. Garba
Affiliation: Department of Computer Science EducationSa'adatu Rimi College of Education Kano, Nigeria

Category:

Keywords: Mirai, Internet of Things, botnet, Denial of Service Attack, cyber attack
ABSTRACT. Mirai is the most dangerous Distributed Denial of Service (DDoS)-capable IoT malware to date that is in the wild and yet very simple in nature. Mirai attack an array of Internet of Things (IoT) and embedded devices that ranges from Digital Video Recorders (DVRs), Internet Protocol (IP) cameras, routers and printers recruiting them to form a botnet. The biggest DDoS attack in history was executed using Mirai botnet. A recent study proposed the Mirai Bot Scanner Summation Prototype that analyzes the network traffic generated from Mirai bot host discovery. The Mirai Bot Scanner Summation Algorithm however, cannot recognize if a network traffic is truly Mirai bot host discovery traffic or not. Given any network traffic, the Mirai Bot Scanner Summation Prototype will proceed to summate and output number of bots, retransmission packets, number of packets and number of potential victim IoT devices using only the source Internet Protocol (IP) address and destination IP address of a packet without identifying if it is truly a Mirai bot host discovery packet or not. This paper present an Improved Mirai Bot Scanner Summation Algorithm that looks at the packet to determine whether it is a truly packet generated due to Mirai bot host discovery by looking at the TCP flag of the packet and the port number of the packet. To perform a host discovery Mirai bot sends out SYN packet over TELNET port 23 or 2323 to a randomly generated non-governmental IP addresses to establish a TCP 3-way handshake with a potentially vulnerable IoT device. The Improved Mirai Bot Scanner Summation Algorithm uses this condition to determine whether a packet is a Mirai bot host discovery packet or not. The Mirai Bot Scanner Summation Algorithm and the Improved Mirai Bot Scanner Summation Algorithm are evaluated using IoT Network Intrusion Dataset. The evaluation results have shown that the Improved Mirai Bot Scanner Summation Algorithm provides more accurate results than the Mirai Bot Scanner Summation Algorithm.

References:

1. A. Kumar and T. J. Lim, "Early Detection of Mirai-Like IoT Bots In Large-Scale Networks Through Sub-Sampled Packet Traffic Analysis," in Advances in Information and Communication. FICC 2019. Lecture Notes in Networks and Systems, San Francisco, CA, USA , 2020
2. C. Frank, "Mirai Bot Scanner Summation Prototype," Masters Theses & Doctoral Dissertations, 2019.
3. H. Kang, D. H. Ahn, G. M. Lee, J. D. Yoo, K. H. Park and H. K. Kim, "IoT network intrusion dataset," 09 September 2019. [Online]. Available: https://ieee-dataport.org/open-access/iot-network-intrusion-dataset.
4. K. Angrishi, "Turning Internet of Things(IoT) into Internet of Vulnerabilities (IoV) : IoT Botnets," arXiv, pp. 1-16, 2017.
5. K. York, "Read Dyn’s Statement on the 10/21/2016 DNS DDoS Attack," 2 October 2016. [Online]. Available: https://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/.
6. M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Durumeric, A. J. Halderman, L. Invernizzi, M. Kallitsis, D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman, N. Sullivan, K. Thomas and Y. Zhou, "Understanding the Mirai Botnet," in 26th USENIX Security Symposium, Vancouver, BC, Canada, 2017.
7. M. De-Donno, N. Dragoni, A. Giaretta and A. Spognardi, "DDoS-Capable IoT Malwares: Comparative Analysis and Mirai Investigation," Hindawi Security and Communication Networks, pp. 1-30, 2018.
8. R. Chandel, "Nmap Scans using Hex Value of Flags," 31 January 2018. [Online]. Available: https://www.hackingarticles.in/nmap-scans-using-hex-value-flags/.
9. Y. Meidan, M. Bohadana, Y. Mathov, Y. Mirsky, D. Breitenbacher, A. Shabtai and Y. Elovici, "N-BaIoT: Network-based Detection of IoT Botnet Attacks Using Deep Autoencoders," IEEE PERVASIVE COMPUTING, vol. 13, no. 9, pp. 1 - 6, 2018.