Detecting IoT Devices in the Internet (Extended). Guo, H. & Heidemann, J. Technical Report ISI-TR-726B, USC/Information Sciences Institute, July, 2018. (updated March 2017 to 726B)
Detecting IoT Devices in the Internet (Extended) [link]Paper  abstract   bibtex   
Distributed Denial-of-Service (DDoS) attacks launched from compromised Internet-of-Things (IoT) devices have shown how vulnerable the Internet is to large-scale DDoS attacks. To understand the risks of these attacks requires learning about these IoT devices: where are they? how many are there? how are they changing? This paper describes three new methods to find IoT devices on the Internet: server IP addresses in traffic, server names in DNS queries, and manufacturer information in TLS certificates. Our primary methods (IP addresses and DNS names) use knowledge of servers run by the manufacturers of these devices. We have developed these approaches with 10 device models from 7 vendors. Our third method uses TLS certificates obtained by active scanning. We have applied our algorithms to a number of observations. With our IP-based algorithm, we report detections from a university campus over 4 months and from traffic transiting an IXP over 10 days. We apply our DNS-based algorithm to traffic from 8 root DNS servers from 2013 to 2018 to study AS-level IoT deployment. We find substantial growth (about $3.5×$) in AS penetration for 23 types of IoT devices and modest increase in device type density for ASes detected with these device types (at most 2 device types in 80% of these ASes in 2018). DNS also shows substantial growth in IoT deployment in residential households from 2013 to 2017. Our certificate-based algorithm finds 254k IP cameras and network video recorders from 199 countries around the world.
@TechReport{Guo18c,
        author =        "Hang Guo and John Heidemann",
        title =         "Detecting IoT Devices in the Internet (Extended)",
	institution = 	"USC/Information Sciences Institute",
        year =          2018,
	sortdate = 		"2018-07-16", 
	project = "ant, lacanic",
	jsubject = "topology_modeling",
        number =     "ISI-TR-726B",
        note =     "(updated March 2017 to 726B)",
        month =      jul,
	jlocation = 	"johnh: pafile",
	keywords = 	"iot, detection, traffic analysis",
	url =		"https://ant.isi.edu/%7ejohnh/PAPERS/Guo18c.html",
	pdfurl =	"https://ant.isi.edu/%7ejohnh/PAPERS/Guo18c.pdf",
	blogurl = "https://ant.isi.edu/blog/?p=1216",
	abstract = "Distributed Denial-of-Service (DDoS) attacks launched from compromised
Internet-of-Things (IoT) devices have shown how vulnerable the
Internet is to large-scale DDoS attacks.  To understand the risks of
these attacks requires learning about these IoT devices:  where are
they? how many are there?  how are they changing?  This paper
describes three new methods to find IoT devices on the Internet:
server IP addresses in traffic, server names in DNS queries, and
manufacturer information in TLS certificates.  Our primary methods (IP
addresses and DNS names) use knowledge of servers run by the
manufacturers of these devices.  We have developed these approaches
with 10 device models from 7 vendors.  Our third method uses TLS
certificates obtained by active scanning.  We have applied our
algorithms to a number of observations.  With our IP-based algorithm,
we report detections from a university campus over 4 months and from
traffic transiting an IXP over 10 days.  We apply our DNS-based
algorithm to traffic from 8 root DNS servers from 2013 to 2018 to
study AS-level IoT deployment.  We find substantial growth (about
$3.5\times$) in AS penetration for 23 types of IoT devices and modest
increase in device type density for ASes detected with these device
types (at most 2 device types in 80\% of these ASes in 2018).  DNS
also shows substantial growth in IoT deployment in residential
households from 2013 to 2017.  Our certificate-based algorithm finds
254k IP cameras and network video recorders from 199 countries around
the world.
",
}

Downloads: 0