3.5 Analysis of IoT Attack Sources
3.5.1 Participation of IoT Devices in DDoS Attacks
According to NSFOCUS’s IoT threat intelligence, some DDoS attacks are associated with IoT devices. By further analyzing the proportion of IoT devices in DDoS attack source IP addresses, we find that 3.14% are IoT devices. Although this proportion is relatively small, compared to the large base of DDoS attack source IP addresses, the threat of IoT device-based DDoS attacks cannot be overlooked.
We detected that the total number of IP addresses of abnormal IoT devices was 408,685 worldwide, accounting for 0.94% of global IoT devices. The number of IP addresses involved in IoT device-based DDoS attacks was 205,167, reaching 50.20% of the total number of IP addresses of abnormal IoT devices. As shown in Figure 3.29, among different types of IoT device-based attacks, DDoS attacks take up the largest proportion. It is thought that abnormal IoT devices are mainly exploited to launch DDoS attacks.
3.5.2 Geographic Distribution of IoT Devices Involved in DDoS Attacks
By analyzing the global distribution of IoT devices involved in DDoS attacks, we find that most of these devices are in China, with over 90,000 IP addresses identified. China, Russia, Vietnam, the USA, and Brazil are the top 5 countries housing the most IoT devices. It should be noted that NSFOCUS is aware that an IoT device may change IP addresses over time and are researching mechanisms to better fingerprint IoT devices in the future.
As shown in Figure 3.31, China had the most IP addresses belonging to IoT devices involved in DDoS attacks. If we narrow down the scope to China alone, Jiangsu, Shandong, Guangdong, and Zhejiang were top 4 provinces with the most IoT IP addresses.
In 2018, Guangdong, Jiangsu, Shandong, and Zhejiang boasted the most provincial Gross Domestic Product (GDP in China). According to NSFOCUS’s 2018 Annual IoT Cybersecurity Report, this has a lot to do with the popularity of IoT devices and the prosperity related to high technologies and services. In particular, economically developed provinces have the financial resources and motivation to procure and deploy IoT devices and related intelligent systems. The output value of the tertiary industry is an important part of their provincial GDP in Guangdong, Jiangsu, Shandong, and Zhejiang. Therefore, it makes sense that IoT device deployment tracks with their level of economic growth.
Thus, with the robust economic development in these provinces, the popularity of IoT devices improves accordingly, hence the increased number of IoT devices deployed in these provinces. As shown in Figure 3.30, DDoS attacks are the most frequent abnormal behavior for IoT security. Therefore, the more a region is economically developed and the more IoT devices it has, the more IoT device-based DDoS attacks it will both generate and suffer.
3.5.3 Distribution of IoT Device Types Involved in DDoS Attacks
Routers and cameras are the major targets of IoT device-based attacks. In 2018, many botnets exploited numerous medium & high router and camera vulnerabilities to penetrate these devices. For example, in February 2018, by exploiting CVE-2017-17215 and CVE-2014-8361 vulnerabilities, JenX11 infected Huawei HG532 routers and devices running Realtek SDK to form botnets. It was reported that at least 29,000 devices were controlled by JenX. The new botnet IoTroop12 emerging at the end of 2017 exploited partial Mirai code. Like Mirai, IoTroop targets network devices such as routers and cameras from TP-Link, Avtech, MikroTik, Linksys, Synology, and GoAhead. According to Insikt Group13, this botnet consists of infected MikroTik routers (80%) and other types of IoT devices (20%), including routers from Ubiquity, Cisco, and ZyXEL.
Regarding device types, the total number of IoT devices involved in DDoS attacks was more than 230,000. As we said, the predominant types were routers and cameras, accounting for more than 94%. This is consistent with the type distribution of IoT devices.
to be continued