Detecting IoT Devices in the Internet. Guo, H. & Heidemann, J. ACM/IEEE Transactions on Networking, October, 2020. Paper doi abstract bibtex Distributed Denial-of-Service (DDoS) attacks launched from compromised Internet-of-Things (IoT) devices have shown how vulnerable the Internet is to large-scale DDoS attacks. To understand the risks of these attacks requires learning about these IoT devices: where are they? how many are there? how are they changing? This paper describes three new methods to find IoT devices on the Internet: server IP addresses in traffic, server names in DNS queries, and manufacturer information in TLS certificates. Our primary methods (IP addresses and DNS names) use knowledge of servers run by the manufacturers of these devices. Our third method uses TLS certificates obtained by active scanning. We have applied our algorithms to a number of observations. With our IP-based algorithm, we report detections from a university campus over 4 months and from traffic transiting an IXP over 10 days. We apply our DNS-based algorithm to traffic from 8 root DNS servers from 2013 to 2018 to study AS-level IoT deployment. We find substantial growth (about $3.5×$) in AS penetration for 23 types of IoT devices and modest increase in device type density for ASes detected with these device types (at most 2 device types in 80% of these ASes in 2018). DNS also shows substantial growth in IoT deployment in residential households from 2013 to 2017. Our certificate-based algorithm finds 254k IP cameras and network video recorders from 199 countries around the world.
@Article{Guo20c,
author = "Hang Guo and John Heidemann",
title = "Detecting {IoT} Devices in the {Internet}",
journal = "ACM/IEEE Transactions on Networking",
institution = "USC/Information Sciences Institute",
year = 2020,
sortdate = "2020-07-29",
project = "ant, lacanic",
jsubject = "topology_modeling",
volume = "28",
number = "5",
doi = "https://dx.doi.org/10.1109/TNET.2020.3009425",
month = oct,
jlocation = "johnh: pafile",
keywords = "iot, detection, traffic analysis",
url = "https://ant.isi.edu/%7ejohnh/PAPERS/Guo20c.html",
pdfurl = "https://ant.isi.edu/%7ejohnh/PAPERS/Guo20c.pdf",
blogurl = "https://ant.isi.edu/blog/?p=1503",
abstract = "Distributed Denial-of-Service (DDoS) attacks launched from compromised
Internet-of-Things (IoT) devices have shown how vulnerable the
Internet is to large-scale DDoS attacks. To understand the risks of
these attacks requires learning about these IoT devices: where are
they? how many are there? how are they changing? This paper
describes three new methods to find IoT devices on the Internet:
server IP addresses in traffic, server names in DNS queries, and
manufacturer information in TLS certificates. Our primary methods (IP
addresses and DNS names) use knowledge of servers run by the
manufacturers of these devices. Our third method uses TLS
certificates obtained by active scanning. We have applied our
algorithms to a number of observations. With our IP-based algorithm,
we report detections from a university campus over 4 months and from
traffic transiting an IXP over 10 days. We apply our DNS-based
algorithm to traffic from 8 root DNS servers from 2013 to 2018 to
study AS-level IoT deployment. We find substantial
growth (about $3.5\times$) in AS penetration for 23 types of IoT devices and modest
increase in device type density for ASes detected with these device
types (at most 2 device types in 80\% of these ASes in 2018). DNS
also shows substantial growth in IoT deployment in residential
households from 2013 to 2017. Our certificate-based algorithm finds
254k IP cameras and network video recorders from 199 countries around
the world.",
}
Downloads: 0
{"_id":"jsRjYaxhZTfWGhuoH","bibbaseid":"guo-heidemann-detectingiotdevicesintheinternet-2020","author_short":["Guo, H.","Heidemann, J."],"bibdata":{"bibtype":"article","type":"article","author":[{"firstnames":["Hang"],"propositions":[],"lastnames":["Guo"],"suffixes":[]},{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]}],"title":"Detecting IoT Devices in the Internet","journal":"ACM/IEEE Transactions on Networking","institution":"USC/Information Sciences Institute","year":"2020","sortdate":"2020-07-29","project":"ant, lacanic","jsubject":"topology_modeling","volume":"28","number":"5","doi":"https://dx.doi.org/10.1109/TNET.2020.3009425","month":"October","jlocation":"johnh: pafile","keywords":"iot, detection, traffic analysis","url":"https://ant.isi.edu/%7ejohnh/PAPERS/Guo20c.html","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Guo20c.pdf","blogurl":"https://ant.isi.edu/blog/?p=1503","abstract":"Distributed Denial-of-Service (DDoS) attacks launched from compromised Internet-of-Things (IoT) devices have shown how vulnerable the Internet is to large-scale DDoS attacks. To understand the risks of these attacks requires learning about these IoT devices: where are they? how many are there? how are they changing? This paper describes three new methods to find IoT devices on the Internet: server IP addresses in traffic, server names in DNS queries, and manufacturer information in TLS certificates. Our primary methods (IP addresses and DNS names) use knowledge of servers run by the manufacturers of these devices. Our third method uses TLS certificates obtained by active scanning. We have applied our algorithms to a number of observations. With our IP-based algorithm, we report detections from a university campus over 4 months and from traffic transiting an IXP over 10 days. We apply our DNS-based algorithm to traffic from 8 root DNS servers from 2013 to 2018 to study AS-level IoT deployment. We find substantial growth (about $3.5×$) in AS penetration for 23 types of IoT devices and modest increase in device type density for ASes detected with these device types (at most 2 device types in 80% of these ASes in 2018). DNS also shows substantial growth in IoT deployment in residential households from 2013 to 2017. Our certificate-based algorithm finds 254k IP cameras and network video recorders from 199 countries around the world.","bibtex":"@Article{Guo20c,\n author = \"Hang Guo and John Heidemann\",\n title = \"Detecting {IoT} Devices in the {Internet}\",\n journal = \"ACM/IEEE Transactions on Networking\",\n\tinstitution = \t\"USC/Information Sciences Institute\",\n year = 2020,\n\tsortdate = \t\t\"2020-07-29\",\n\tproject = \"ant, lacanic\",\n\tjsubject = \"topology_modeling\",\n volume = \"28\",\n number = \"5\",\n doi = \"https://dx.doi.org/10.1109/TNET.2020.3009425\",\n month = oct,\n\tjlocation = \t\"johnh: pafile\",\n\tkeywords = \t\"iot, detection, traffic analysis\",\n\turl =\t\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Guo20c.html\",\n\tpdfurl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Guo20c.pdf\",\n\tblogurl = \"https://ant.isi.edu/blog/?p=1503\",\n\tabstract = \"Distributed Denial-of-Service (DDoS) attacks launched from compromised\nInternet-of-Things (IoT) devices have shown how vulnerable the\nInternet is to large-scale DDoS attacks. To understand the risks of\nthese attacks requires learning about these IoT devices: where are\nthey? how many are there? how are they changing? This paper\ndescribes three new methods to find IoT devices on the Internet:\nserver IP addresses in traffic, server names in DNS queries, and\nmanufacturer information in TLS certificates. Our primary methods (IP\naddresses and DNS names) use knowledge of servers run by the\nmanufacturers of these devices. Our third method uses TLS\ncertificates obtained by active scanning. We have applied our\nalgorithms to a number of observations. With our IP-based algorithm,\nwe report detections from a university campus over 4 months and from\ntraffic transiting an IXP over 10 days. We apply our DNS-based\nalgorithm to traffic from 8 root DNS servers from 2013 to 2018 to\nstudy AS-level IoT deployment. We find substantial \ngrowth (about $3.5\\times$) in AS penetration for 23 types of IoT devices and modest\nincrease in device type density for ASes detected with these device\ntypes (at most 2 device types in 80\\% of these ASes in 2018). DNS\nalso shows substantial growth in IoT deployment in residential\nhouseholds from 2013 to 2017. Our certificate-based algorithm finds\n254k IP cameras and network video recorders from 199 countries around\nthe world.\",\n}\n\n\n","author_short":["Guo, H.","Heidemann, J."],"bibbaseid":"guo-heidemann-detectingiotdevicesintheinternet-2020","role":"author","urls":{"Paper":"https://ant.isi.edu/%7ejohnh/PAPERS/Guo20c.html"},"keyword":["iot","detection","traffic analysis"],"metadata":{"authorlinks":{}}},"bibtype":"article","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":["iot","detection","traffic analysis"],"search_terms":["detecting","iot","devices","internet","guo","heidemann"],"title":"Detecting IoT Devices in the Internet","year":2020}