John Heidemann / Papers / Detecting IoT Devices in the Internet (Extended)

Detecting IoT Devices in the Internet (Extended)
Hang Guo and John Heidemann

Citation

Hang Guo and John Heidemann. Detecting IoT Devices in the Internet (Extended). Technical Report ISI-TR-726B. USC/Information Sciences Institute. [PDF] [alt PDF]

Abstract

Distributed Denial-of-Service (DDoS) attacks launched from compromised Internet-of-Things (IoT) devices have shown how vulnerable the Internet is to large-scale DDoS attacks. To understand the risks of these attacks requires learning about these IoT devices: where are they? how many are there? how are they changing? This paper describes three new methods to find IoT devices on the Internet: server IP addresses in traffic, server names in DNS queries, and manufacturer information in TLS certificates. Our primary methods (IP addresses and DNS names) use knowledge of servers run by the manufacturers of these devices. We have developed these approaches with 10 device models from 7 vendors. Our third method uses TLS certificates obtained by active scanning. We have applied our algorithms to a number of observations. With our IP-based algorithm, we report detections from a university campus over 4 months and from traffic transiting an IXP over 10 days. We apply our DNS-based algorithm to traffic from 8 root DNS servers from 2013 to 2018 to study AS-level IoT deployment. We find substantial growth (about 3.5\times) in AS penetration for 23 types of IoT devices and modest increase in device type density for ASes detected with these device types (at most 2 device types in 80% of these ASes in 2018). DNS also shows substantial growth in IoT deployment in residential households from 2013 to 2017. Our certificate-based algorithm finds 254k IP cameras and network video recorders from 199 countries around the world.

Bibtex Citation

@techreport{Guo18c,
  author = {Guo, Hang and Heidemann, John},
  title = {Detecting IoT Devices in the Internet (Extended)},
  institution = {USC/Information Sciences Institute},
  year = {2018},
  sortdate = {2018-07-16},
  project = {ant, lacanic},
  jsubject = {topology_modeling},
  number = {ISI-TR-726B},
  note = {(updated March 2017 to 726B)},
  month = jul,
  jlocation = {johnh: pafile},
  keywords = {iot, detection, traffic analysis},
  url = {https://ant.isi.edu/%7ejohnh/PAPERS/Guo18c.html},
  pdfurl = {https://ant.isi.edu/%7ejohnh/PAPERS/Guo18c.pdf},
  blogurl = {https://ant.isi.edu/blog/?p=1216}
}
Copyright © by John Heidemann