A 10,000 Foot View of Internet Security in 2017 Zakir Durumeric Who am I? I am joining the Stanford CS Department in Fall 2018 My research primarily focuses on empirical security, particularly improving network security through large-scale measurement This includes building systems to perform large-scale data collection, uncovering vulnerabilities in how systems have been deployed in practice, designing more secure protocols and systems Worsening Distributed Denial of Service (DSoS) Attacks Devastating DDoS Attacks In October 2016, DDoS attacks took DNS provider Dyn offline Largest denial of service attack on public record (>600gbps) Source: Dyn Mirai: IoT Devices to Blame Understanding the Mirai Botnet, USENIX Security ‘17 Mirai: IoT Devices to Blame 700,000 Total Mirai Scans TCP/6789 600,000 TCP/23231 TCP/8080 Peak: 600K+ Infected Devices TCP/22 TCP/80 scans 500,000 TCP/2222 TCP/23 TCP/37777 TCP/2323 400,000 TCP/443 TCP/7547 Steady State: 2-300K TCP/5555 telescope 300,000 200,000 network # 100,000 0 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date Understanding the Mirai Botnet, USENIX Security ‘17 What Happened? “It is possible, investigators say, that the attack on Dyn was conducted by a criminal group that wanted to extort the company. Or it could have been done by “hacktivists.” Or a foreign power that wanted to remind the United States of its vulnerability.” Understanding the Mirai Botnet, USENIX Security ‘17 Embarrassingly Bad Security Mirai was possible because Targeted IP rDNS Passive DNS hundreds of thousands of 208.78.70.5 ns1.p05.dynect.net ns00.playstation.net devices used default logins 204.13.250.5 ns2.p05.dynect.net ns01.playstation.net and had trivial vulnerabilities 208.78.71.5 ns3.p05.dynect.net ns02.playstation.net 204.13.251.5 ns4.p05.dynect.net ns03.playstation.net Nearly every aspect of Mirai 198.107.156.219 service.playstation.net ns05.playstation.net was poorly orchestrated 216.115.91.57 service.playstation.net ns06.playstation.net Dyn was taken offline by a handful of miscreants Used no modern malware trying to attack a Playstation Game Server techniques Understanding the Mirai Botnet, USENIX Security ‘17 Embarrassingly Bad Security Understanding the Mirai Botnet, USENIX Security ‘17 Cluster 0 Cluster 2 proht.usgettwrrnty.us Moving Forward Cluster 6 nextorrent.net elyricsworld.comboost-factory.com kedbuffigfjs.online avac.io emp3world.com nuvomarine.com alcvid.com rippr.club bklan.ru kciap.pw xex-pass.com clearsignal.com strongconnection.cc mwcluster.comxf0.pw dibamovie.site xpknpxmywqsrhe.onlinetr069.support investor-review.com pontobreventos.com.br anabolika.bz ip-137-74-49.eu ip-51-255-103.eudmim.irdiamondhax.comelektro-engel.de srrys.pw binpt.pw drogamedic.com.brcontroluz.com.br expertscompany.com youporn.wfangoshtarkhatam.irpiratetorrents.net mziep.pw voxility.net postrader.eunfoservers.com 2ws.com.br dibamovie.bizmoreoverus.com novotele.online voxility.orgvoxility.com 2world.com.br tr069.online soplya.com robositer.com voxility.mobivoxility.ro postrader.itsistematitanium.comgeroncioribeiro.com as62454.net siterhunter.com gideonneto.com postrader.org woodpallet.com.br aodxhb.ru zugzwang.mejgop.org sipa.be mehinso.ru myfootbalgamestoday.xyzdyndn-web.commufoscam.orgbitnodes.io escolavitoria.com.br nrzkobn.ru pontobreventos.comacessando.com.br zogrm.ruqlrzb.ru checkforupdates.onlinebluematt.me sillycatmouth.us hyrokumata.com stt-spb.rushokwave.ru infoyarsk.ru bitcoinstats.com txocxs.ru domisto.ru zosjoupf.ru polycracks.com 5153030.ru kernelorg.downloadfastgg.netmediaforetak.com Mirai hasn’t gone away— absentvodka.com daf-razbor.ru lottobooker.ru dom-italia39.ru eduk-central.net firstclaz-shop.ru kiditema.ru alexandramoore.co.ukanalianus.com hightechcrime.clubgreenkittensdeal.pw ta-bao.comrutrax.ru cheapestdogspecials.win tr069.pw intervideo.online dardiwaterjet.ru securityupdates.us 33kittensspecials.pw pornopokrovitel.ru childrens-health.ru intervideo.top yellowpetsspecials.pwgreenbirdsspecials.win wwrf.ru findcatspecial.win kia-moskva.ru timeserver.host fractured control—could easily ocalhost.hostdolgoprud.top bluepuppyspecial.pw infonta.ru 33puppiesspecials.win avtotyn.ru food-syst.ru xn--b1acdqjrfck3b7e.xn--p1ai cheapestdogspecial.pwbluepuppiesdeals.pw upfarm.ru sony-s.ru yellowcatdeal.win xn----7sbhguokj.xn--p1aifavy.clubadmin-vk.rukopernick.ruudalenievmiatin.ru greendoggyspecial.pw sert-cgb.ru video-girle.ruavtoatelie-at.ru yellowpuppyspecial.pw xn--80aac5cct.xn--80aswg kvartplata1.ru findbirdsspecials.pw videostrannik.ru transfer.clubkinosibay.ru 33catspecials.pwfinddogdeal.win lr-top.ru jealousyworld.ru return osinniki-tatu.ru infobusiness-eto-prosto.ru tomlive.ru gam-mon.ru cheapkittensspecial.win33catsdeal.pw taylor-lautner.ru bocciatime.ru alexander-block.ru sims-4.ru party-bar66.ru cheapestdoggyspecial.pw aaliya.ru general-city.ru hotelkhiva.ru wapud.ru agrohim33.ru igm-shop.ru poliklinikasp.ru receptprigotovlenia.ru pavelsigal.ru 5d-xsite-cinema.ru Cluster 23 vkladpodprocenti.ru svoibuhgalter.ru 69speak.eu titata.ru It will return unless there’s ip-149-202-144.eu mp3impulse.ru bebux.netgramtu.pldopegame.ru sl22.ru russianpotatoes.ru semazen.com.trmadlamhockeyleague.com 3200138.com q5f2k0evy7go2rax9m4g.ru disabled.racing e3ybt.top occurelay.netdopegame.susecure-limited-accounts.com hexacooperation.comipeb.biz icmp.online germanfernandez.cl netwxrk.org protopal.clubdumpsterrentalwestpalmbeachfl....blockquadrat.de significant change servdiscount-customer.com ip-151-80-27.eu middlechildink.comrencontreadopoursitedetours.xyzcritical-damage.org lateto.work kentalmanis.info layerjet.com serverhost.namedoki.co addsow.topzeldalife.com edhelppro.bid 6969max.com chiviti.com brendasaviationplans.xyznerafashion.com kunathemes.comsecure-support.servicessecure-payment.online happy-hack.ruzvezdogram.com my2016mobileapplications.techcloudtechaz.net Cluster 7 grotekleinekerkstraat.nlplaykenogamesonline.comok6666.net topdealdiscounted.onlinethqaf.comcenturystyleantiques.com megadealsfinder.online thcrcz.top megadealsdiscounter.online realsaunasuit.com bigdealsfinder.online kcgraphics.co.ukstbenedictschoolbx.org superpriceshopping.online starpricediscounted.online bestsavingfinder.onlinesantasbigcandycane.cx superpriceshopper.onlineboatnetswootnet.xyz greatdealninja.online Cluster 1 bestpricecastle.online skinplat.ru smsall.pksteamon.ru skincoin24.ru amgauto.vn joomlavision.com gameshoper.ru gowars.ru tradewallet.ru irisstudio.vn dacsanthitchua.comherokids.vn keygolds.ru steamcoin24.ru ngot.netssldomainerrordisp2003.comousquadrant.comkeyzet.ru teamcoin.ru tamthat.com tradewallet24.ru namlimxanh.net.vnspevat.netapkmarket.mobi kleverfood.vn skincoin.ru keycoins.ru muplay.ru keydealer.ruwalletzone.ru gamegolds.ru playerstore.ru gamewallet.ru Understanding the Mirai Botnet, USENIX Security ‘17 IoT Security Beyond Mirai Mirai is one example of poor security in a worrisome trend Second Example: Hundreds of thousands of embedded devices serve user data to the public over anonymous FTP Data ranges from clinical medical records to HR and financial data are publicly available Typically due to poor user interfaces, default credentials, and easy-to-find vulnerabilities FTP: The Forgotten Cloud, DSN’16 Malware, Infection, and Ransomware A Thriving Underground Economy “Pay Per Install”: Compromised machines are a purchasable commodity Allows multi-tenancy of machines for denial of service attacks, malicious hosting, spam, PII theft, ad fraud Fill out web form with the number of machines you need and payment, then upload your malware binary: - 1000 U.S./Western Europe Installs: $100-180 - 1000 Less Popular Installs (mostly Asia): $7-8 Large providers see abusive traffic from tens of millions of abusive IPs on a daily basis Source: The Abuse Sharing Economy: Understanding the Limits of Threat Exchanges DDoS For Hire: Booter/Stresser Services DDoS has been commoditized: • Enables non-sophisticated subscribers to extort, harass, and censor • First major Mirai attack was taking down Brian Kreb’s blog Popular services carry out of 100Ks of attacks from 1Ks of subscribers Accept PayPal, Bitcoin. $10-500 based on duration/intensity Primarily amplification attacks that use misconfigured NTP, DNS, SIP Source: Understanding and Undermining the Business of DDoS Services The Rise of Ransomware Ransomware has become extremely popular—dwarfs other types of malware attacks Little change in distribution: Phishing emails, social media scams Largest 2017 Family (Cerber): ~7M USD - Expansive affiliate program Source: Unmasking the Ransomware Kingpins Data Breaches and Mismanagement Data Breaches Constantly hearing about data breaches—Equifax, Anthem, eBay, Home Depot, Target, Adobe, Sony, Adult Friend Finder, OMB, … Hard to detect root cause, but a few major problems: - Network mismanagement - Phishing - Out of date software - 20% of Flash installs are vulnerable - 25% of browsers out of date Source: Duo Trusted Access Report Patching Behavior 12 Alexa Top 1 Million Sites Heartbleed—OpenSSL 10 Public IPv4 Address Space vulnerability allowed remote attackers to dump memory 8 Massive publicity—likely best 6 case patching scenario Patching plateaued with 30% of 4 IPv4 hosts remaining vulnerable 2 Today, 100K+ hosts remain Vulnerable Percentage of HTTPS Hosts vulnerable. Most are IoT devices 0 04/12 04/19 04/26 05/03 05/10 05/17 05/24 Date The Matter of Heartbleed, IMC’14 Increased Data Collection Many of the headlines are about financial data leaks - Primary worry: Identity theft Hospitals, insurance providers are also commonly.