Attn: Evelyn L. Remaley Deputy Associate …...July 28, 2017 Attn: Evelyn L. Remaley Deputy Associate Administrator National Telecommunications and Information Administration U.S

July 28, 2017 Attn: Evelyn L. Remaley Deputy Associate Administrator National Telecommunications and Information Administration U.S. Department of Commerce 1401 Constitution Avenue NW, Room 4725, Washington, D.C. 20230

RE: Docket No. 170602536-7536-01 Dear Evelyn,

On behalf of the CSCC, we would ask that the attached Industry Technical White Paper the CSCC released on July 17, 2017, be included as part of the record in the above proceeding.

Sincerely, Robert Mayer USTelecom Association Vice President, Industry and State Affairs

Kathryn Condello CenturyLink Director, National Security/Emergency Preparedness

IndustryTechnicalWhitePaper

ABSTRACTOnMay11,2017PresidentTrumpsignedExecutive

Order13800,StrengtheningtheCybersecurityofFederalNetworksandCriticalInfrastructure,tasking

theDepartmentofCommerceandtheDepartmentof

HomelandSecuritytoleadanopenandtransparent

processtoidentifywaystoimprovetheresilienceoftheinternetandcommunicationsecosystemand

reducethethreatsperpetuatedbybotnets,

particularlydistributeddenialofserviceattacks.In

thistechnicalwhitepaper,thecommunicationssectordescribesthebotnetproblemfromtheperspectiveof

internetserviceproviders(ISPs),identifiessome

challengesandopportunities,andthenproposes

severalpreliminaryrecommendationsoractionablestepsthatecosystemparticipants,includingISPs,

shouldconsidertomitigatethethreatsassociated

withbotnetsandautomatedattacks.

CommunicationsSectorCoordinatingCouncil

July17,2017

CommunicationsSectorCoordinatingCouncil|www.comms-scc.org

TableofContents

ExecutiveSummary.....................................................................................................1

InternetEcosystemandCommunicationsSector.........................................................3

Bots,BotnetsandAssociatedThreats..........................................................................7

CurrentToolsandTechniques...................................................................................14

EmergingSolutions....................................................................................................18

ChallengesandOpportunities...................................................................................21

IndustryRecommendations.......................................................................................29

Conclusion.................................................................................................................31

AppendixA-CyberThreatReports...............................................................................i

AppendixB–ThreatsfromBotnets............................................................................iv

Glossary.....................................................................................................................vi


1

ExecutiveSummary

Abotisacodeusedtoseizecontroloveracomputeroradevicetoformanetworkofinfectedmachines,knownasabotnet.Manybotnetsareself-spreadingandself-organizingnetworksof

compromisedmachinesthatcanbeusedtoperformmaliciousactivitiesinacoordinatedway

throughcommandandcontrol(C&C)channels.Whilebotsarenotnew,thegrowing

deploymentofInternetofThings(IoT)devicesamplifiestheircapabilitytocreatealarge-scaleglobalsecuritythreat.

Inrecognitionofthisgrowingglobalthreat,onMay11,2017,PresidentTrumpsignedExecutive

Order13800,StrengtheningtheCybersecurityofFederalNetworksandCriticalInfrastructure,1taskingtheDepartmentofCommerce(DoC)andtheDepartmentofHomelandSecurity(DHS)to

leadanopenandtransparentprocesstoidentifywaystoimprovetheresilienceoftheinternet

andcommunicationsecosystemandreducethethreatsperpetuatedbybotsandbotnets.

Inthistechnicalwhitepaper,thecommunicationssector,specificallyinternetserviceproviders(ISPs)inthiscontext,seekstoinformthatprocessbydescribingthesharedresponsibilitiesof

keyparticipantsintheinternetecosystemformitigatingthethreatsposedbybotnets.Itisa

fallacytobelievethatanysinglecomponentoftheinternetecosystemhastheabilitytomitigate

thethreatfrombotnetsandotherautomatedsystems.WhileISPs,asinfrastructureownersandoperators,playanimportantroleinthisecosystem,sodothemanufacturersofdevices,

developersofsoftware,systemintegrators,edgeproviders,cloudserviceproviders,andothers.

Itwilltaketheconcertedeffortofallmembersofthisecosystemtoaddressfullythethreats

frombotsandbotnets.

Theinternetecosystemhasbeenworkingcollaborativelytoneutralizethethreatsfrombotsand

botnetsforyears.Inthispaper,theCommunicationsSectorCoordinatingCouncil(CSCC)

identifiesanumberofchallengesofmitigatingbotnets,andopportunitiesforincreasedcollaborationandcooperationamongmembersoftheinternetecosystemtoaddressthe

problemincluding:

• Improvingtheefficiencyoflawenforcementprocesstotakedownbotnets;

1TheWhiteHouseOfficeofthePressSecretary,PresidentialExecutiveOrderonStrengtheningtheCybersecurityofFederalNetworksandCriticalInfrastructure(May11,2017),availableathttps://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal.


2

• Sharingofactionablecyberthreatinformation;

• Reducingthedependencyupontheuseofnetworkaddresstranslation(NAT)functions;

• Mitigatingbotnettrafficfromforeigncountries;

• Managingend-usernotificationsofmalwareinfections;

• DefendingagainstunsecuredIoTdevices;

• Combattingtheuseoffastfluxdomainnameserver(DNS)bybotnetstohidetheirinfrastructure;and

• Coordinatingnetwork-to-networknetworkmanagement.

AspartofDoCandDHS’sopenandtransparentprocess,theCSCCalsoproposesthefollowing

preliminaryrecommendationsoractionablestepsthatecosystemparticipants,includingISPs,

shouldconsidertomitigatethethreatsassociatedwithbots,botnets,andautomatedattacks:

• Streamlinethelawenforcementprocesstotakedownbotnets;

• EncouragecontinuedmigrationtoIPv6;

• Ensurethatsharedcyberthreatinformationisactionableandtailoredtomeetrecipients’needs;

• Networkoperatorsandend-usersshouldincludepre-negotiatedprovisionsfortrafficfilteringintransitandpeeringagreements;

• EncouragetheInternetCorporationforAssignedNamesandNumbers(ICANN),

registries,andregistrarstoadoptthefastfluxmitigationtechniquesrecommendedbytheSecurityandStabilityAdvisoryCommittee(SSAC);

• Improvebotnetdetectionbyencouragingtheadoptionanduseofmachinelearningtechniques;

• Ensureallend-pointsincludingIoTdevicesadheretoindustrydevelopedsecuritystandards;

• Ensureend-pointsarerunningup-to-datesoftware;and

• IoTdevicesshouldusenetworkisolationand/ornetworkbasedfilteringtechniquesforanycommunicationstocloud-basedservices.


3

InternetEcosystemandCommunicationsSector

Theecosystemsupportingtheinternet,includingthemembersofthecommunicationssector

providinginternetaccessservicesiscomplex,diverse,andinter-dependent.Tofullyunderstandthethreatsthatbotnetspose,itisimportanttounderstandtheecosystemandstakeholders’

relationships.Thissectionprovidesasummaryoftheinternetecosystemandexplainshowthe

communicationssectorfitsintothebroaderinternetecosysteminprotectingcriticalinfrastructurefromthreatsfrombotsandbotnets.

InternetEcosystem

Theinternetecosystemisadiverse,highlyintegratedsystemcomprisedofmanystakeholders.

TheInternetSociety(ISOC)describesthebroadinternetecosystemasbeingmadeupofsixprimarycommunitiesasshownbelow.2

2InternetSociety,WhoMakestheInternetWork:TheInternetEcosystem(Feb.3,2014),availableathttp://www.internetsociety.org/who-makes-internet-work-internet-ecosystem(accessedJuly16,2017).


4

Figure1InternetEcosystem

Source:InternetSociety

Thenetworkoperators,whicharepartofthecommunicationssector,providethe“SharedGlobalServicesandOperations”showninFigure1.Whenviewedsolelyfromthenetwork

perspective,theinternetecosystemlooksmorelikeFigure2.


5

Figure2NetworkViewofInternetEcosystem

Inthiscontext,theinternetecosystemiscomprisedofmanymachines/devices(e.g.,

smartphones,desktopcomputers,IoTdevices,etc.)thatconnecttonetworkserviceproviders.

Thenetworkserviceprovidersuseacombinationoftransitandpeering3toprovideinternetconnectivitytoservicecreators(e.g.,hosting,ecommerce,socialmedia,enterprises,etc.).

Manyoftheservicecreatorsarecloud-based,meaningthattheyoperateanetworkofmachines

workingtogethertoprovideaservice.Allofthepartsworktogethertoprovidewhatiscommonlyreferredtoastheinternet.

CommunicationsSector

Ownersandoperatorsofcommunicationsinfrastructure(broadcast,cable,satellite,wireless,

andwireline)comprisethecommunicationssector.Thecommunicationssectorisoneofthe16CriticalInfrastructure/KeyResource(CI/KR)sectorsidentifiedintheDHSNationalInfrastructure

ProtectionPlan(NIPP).Thissectorincludesthenetworkoperatorsthatprovideinternetaccess

services.Aspartofapublic/privatepartnershipwithDHS,thecommunicationssectorutilizes

theCommunicationsSectorCoordinationCouncil(CSCC)andtheCommunicationsInformation

3Note:ThereisaglossaryinAppendixBthatprovidesmoreinformationonthetechnicaltermsusedinthisdocument.


6

SharingandAnalysisCenter(Comm-ISAC)tohelpsecurethecommunicationsnetworksCI/KR

fromharm.

Thecommunicationssectorhasalonghistoryofcooperationwithinitsmembershipandwithfederalgovernmentwithrespecttonationalsecurityandemergencypreparedness.Thishistory

distinguishesthecommunicationssectorfrommostothercriticalsectorsidentifiedinthe

NationalInfrastructureProtectionPlan(NIPP).Thesectorexemplifiescooperationandtrusted

relationshipsthathaveresultedinthedeliveryofcriticalserviceswhenemergenciesanddisastersoccur.Thisstrongbondexistslargelybecauseofthreeorganizationsthathavebeen

createdinresponsetoearlierthreatstothenation’scriticalinfrastructure.

Policy-TheNationalSecurityTelecommunicationsAdvisoryCommittee(NSTAC).The

NSTAC(wwwncs.gov/nstac/nstachtml)wascreatedin1982byExecutiveOrder12382.It

providesahighlysuccessfulexampleofhowindustryhelpsdirectgovernmentdecisionsaround

nationalsecurityandemergencypreparednesscommunications(NS/EP).NSTACiscomprisedofupto30chiefexecutivesfrommajortelecommunicationscompanies,networkservice

providers,andinformationtechnology,finance,andaerospacecompanies.Througha

deliberativeprocess,theyprovidethePresidentwithrecommendationsintendedtoassurevital

telecommunicationslinksthroughanyeventorcrisis,andtohelptheU.S.Governmentmaintainareliable,secure,andresilientnationalcommunicationsposture.KeyareasofNSTACfocus

include:strengtheningnationalsecurity;enhancingcybersecurity;maintainingtheglobal

communicationsinfrastructure;assuringcommunicationsfordisasterresponse;andaddressing

criticalinfrastructureinterdependencies.

Planning-CommunicationsSectorCoordinatingCouncil(CSCC).TheCSCCwascharteredin

2005inorderto:helpcoordinateinitiativestoimprovethephysicalandcybersecurityofsectorassets;easetheflowofinformationwithinthesector,acrosssectorsandwithdesignated

Federalagencies;andaddressissuesrelatedtoresponseandrecoveryfollowinganincidentor

event.Themorethan40membersoftheCSCCbroadlyrepresentthesectorandincludecable

providers,commercialandpublicbroadcasters,informationserviceproviders,satelliteproviders,underseacableproviders,utilitytelecomproviders,serviceintegrators,equipment

vendors,andwirelessandwirelineownersandoperatorsandtheirrespectivetrade

associations.

Operations-NationalCoordinatingCenterforTelecommunications(NCC)


7

CommunicationsInformationSharingandAnalysisCenter(Comm-ISAC).In1982,federal

governmentandtelecommunicationsindustryofficialsidentifiedtheneedforajointmechanism

tocoordinatetheinitiationandrestorationofnationalsecurityandemergencypreparednesstelecommunicationsservices.In1984,ExecutiveOrder12472createdtheNCC.This

organization’suniquepartnershipbetweenindustryandgovernmentadvancescollaborationon

operationalissuesona24X7basisandcoordinatesNS/EPresponsesintimesofcrisis.Since

2000,theNCC’sCommunicationsInformationSharingandAnalysisCenter(Comm-ISAC),comprisedof51industrymembercompanies,hasfacilitatedtheexchangeofinformation

amonggovernmentandindustryparticipantsregardingvulnerabilities,threats,intrusions,and

anomaliesaffectingthetelecommunicationsinfrastructure.Industryandgovernmentrepresentativesmeetweeklytosharethreatandincidentinformation.Duringemergencies,

industryandgovernmentrepresentativesinvolvedwiththeresponseeffortsmeetdaily,oreven

morefrequently.

Bots,Botnets,andAssociatedThreatsBot–aprogramthatisinstalledonasysteminordertoenablethatsystemto

automatically(orsemi-automatically)performataskorsetoftaskstypicallyunderthecommandandcontrolofaremoteadministrator(akabotmasterorbotherder).4

Botnet–anetworkofinternet-connectedend-usercomputingdevicesinfectedwithbot

malwareandareremotelycontrolledbythirdpartiesfornefariouspurposes.5

Botsarenotanewphenomenon.Itisimportanttonotethatnotallbotsarebad,andnotallbotnetsareusedfornefariouspurposes.Therearesomegoodbotsinenvironmentslike

gamingandInternetRelayChat(IRC).However,forthepurposesofthispaper,allmentionsof

botsandbotnetswillassumetheyaremaliciousorpotentiallymaliciousinnature.

A“botnet”isanetworkofbotsworkingtogetherwiththecapabilityofactingoninstructions

generatedremotely.Atypicalbotnetmayrangefromafewthousandbotstohundredsof

4FederalCommunicationsCommission(FCC),CommunicationsSecurityReliabilityandInteroperabilityCouncil(CSRIC)III,U.S.Anti-BotCodeofConduct(ABCs)forInternetServiceProviders,(Mar.2012),availableathttps://transition.fcc.gov/bureaus/pshs/advisory/csric3/CSRIC-III-WG7-Final-ReportFinal.pdf(accessedJune20,2017).5Id.


8

thousandsorevenmillionsofbots.Botsandbotnetsarehighlycustomizableandcanbe

programmedtodomanythings,including:theftofpersonalandothersensitiveinformation,

spam,emailaddressharvesting,distributeddenialofservice(DDoS)attacks,key-logging,hostingillegalcontent,andclickfraud.Thesetypesofcyber-attacksaredescribedingreater

detaillaterinthispaper.

EarlybotsusedIRCtocommunicatetotheirC&Cservers.Overtime,botsandbotnetshave

grownmoresophisticated.Forinstance,botsandbotnetshavebeenmademoreresilientbyincorporatingpeer-to-peer(P2P)architecturesandprotocols;domainnamegenerating

algorithms;hypertexttransferprotocol(HTTP)tospecificuniformresourcelocators(URL)within

legitimatewebsites;sophisticated,hierarchicalC&Cinfrastructures;andencryption.Eachoftheseimprovementshasmadeitmoredifficulttoidentifyandisolatebadtrafficfromlegitimate

networktraffic.

Historically,botsinfecteddesktopcomputersandservers,resultingineventualdetectionand

removalusingantivirussoftware.Incontrast,IoTdevicesoftendonothaveauserinterface(UI);aredesignedtorunautonomously;andareconnectedeitherdirectlyorindirectlytothe

internet.Thesedevicesdonotlendthemselveswelltosometraditionalsecurityprotections.

Theymayconnecttotheinternetwithoutafirewallandareusuallyplacedonthesamelocal

areanetwork(LAN)segmentasotherhighervaluetargets.Theyareunlikelytorunanti-virussoftware.Inaddition,theymaybeconsideredalowsecurityrisksincetheyarelowcostand

onlyprocessseeminglyinnocuousdata.However,IoTdevicesareactuallyenticingtargetsfor

exploitation,asthedevicesprovidecomputingpowerthatcanbeutilizedbybadactors,

typicallyunnoticedbytheowners,andareoften“installandforget”equipment.

LargenetworksofIoTdevicescanbecomecompromisedbybotswhenconnectedtohigh-speed

internetconnections,whichcancausesignificantdamage.TheOctober2016MiraibotnetDDoS

attackagainstDNSproviderDynisoneofthemorerecentexamples.TheMiraibotnetexploitedweaksecurityinmanyIoTdevicesbycontinuouslyscanningtheinternet,lookingformoreIoT

devicesthatwereprotectedbyfactorydefaultorhardcodedusernamesandpasswords.6As

theMiraibotnetdiscoveredvulnerableIoTdevices,itloadeditsmalwareontothedevicesand

begancommunicatingwiththeC&Cserversawaitinginstructions.TheMiraibotnetthenwas

6SymantecSecurityResponse,Mirai:whatyouneedtoknowaboutthebotnetbehindrecentmajorDDoSattacks,SymantecOfficialBlog(Oct.27,2016),availableathttps://www.symantec.com/connect/blogs/mirai-what-you-need-know-about-botnet-behind-recent-major-ddos-attacks(accessedJune20,2017).


9

usedtolaunchalarge-scaleDDoSattackagainstDynbyinstructingeachinfecteddevicetoflood

theDynDNSserverswithahigh-volumeofpacketsusingtheDNSservicedestinationport(user

datagramprotocol(UDP)port53)aswellasfloodingauthoritativeserverswithnumerousrequestsforinvaliddomainnames.7TheattackpreventedanumberofDyn’scustomersfrom

beingabletoaccessdomainnamesservedbyDynDNSduringtheattack.

TheDynattackwasnotanisolatedincident.Thepeakattacksizeincreaseddramaticallyina

shortperiodoftime,risingfrom500Gbpsin2015to800Gbpsin2016.8TheKrebsonSecuritysitewasalsohitbyanattackinSeptember2016,whichreached620Gbps.Infact,theMirai

botnetandotherIoTbotnetswereinexistenceforsometimepriortotheseattacksand

generallyusedforperformingsmallerDDoSattacks.

BotnetThreats

Asdescribedabove,botsandbotnetsarehighlycustomizable,andasaresult,canbe

programmedtodomanybeneficialthingsontheinternet.However,theyareoftenand

increasingly,usedfornefariousactivitiessuchasthetypesofattackslistedbelow.

• DDoSattacks;

• Datatheft;

• Illicitcontentdistribution;

• Bruteforcepasswordguessing;

• Processingtheft;

• Clickfraud;

• Emailspam;and

• Unauthorizedgateway.

Theremainderofthissection,however,willfocusonDDoSattacks.DescriptionsoftheothertypesofattackslistedabovecanbefoundinAppendixB.

7ScottHamilton,DynAnalysisSummaryOfFridayOctober21Attack,DynBlog(Oct.26,2016),availableathttp://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/(accessedJune20,2017).8ArborNetworks,12thAnnualWorldwideInfrastructureSecurityReport,ArborNetworksSpecialReportVol.XII(2016),atp.21,availableathttps://pages.arbornetworks.com/rs/082-KNA-087/images/12th_Worldwide_Infrastructure_Security_Report.pdf(accessedJune30,2017).


10

DDoSattacks–ahighlyaprevalentformofattackperpetratedbybotnets–illustratesomeof

themanychallengesofpreventingattacks,aswellasofpreventingbotsfromcompromising

end-points.

DDoSattackscanbebrokenintofourmaincategories:9

• Volumetric;

• Application/resource;

• Stateexhaustion;and

• Controlplane.

VolumetricDDoSattacksconsistofhundredstohundredsofthousandsofbotsfloodingthevictimwithpackets,resultingindenialoftheservicetoothers.Theattackscanbedirect,where

thebotssendthepacketsaddresseddirectlytothevictimeitherwiththeirownsourceIP

addressoraspoofedsourceIPaddress.Indirectattacksleverageatechniqueknownasa

reflectiveamplificationattack,inwhichbotsspoofthesourceIPaddresstobethatoftheintendedattacktarget.10ThebotsthensendrequestpacketstootherservicessuchasDNS,

CharacterGeneratorProtocol(chargen),orSimpleServiceDiscoveryProtocol(SSDP)totrickthe

servicestosendresponsestowardthevictim.Indirectorreflectionattacksareoftencraftedto

causetheservicetosendaresponsethatismuchlargerthanthebot’sinitialrequest,resultinginanamplificationattack.Insomecircumstances,theamplificationscanbethousandsoftimes

greaterthanthebots’initialrequestpackets.

Applicationattackstendtobelowervolumetrafficattacksthanvolumetricattacks.Theyare

characterizedbybotssendinglegitimate-lookingapplication-levelrequeststoasystemtoconsumeresources(e.g.,CPU,diskaccess,databaselookups,etc.)andoverwhelmthesystem,

therebypreventingothersfromaccessingit.

Stateexhaustionattacksleveragethefactthatdeviceslikeservers,firewalls,andintrusiondetectionsystemshavelimitedcapabilitiestotrackthestateofconcurrenttransactions.The

9FCCCSRICIV,RemediationofServer-BasedDDoSAttacksFinalReport,(Sept.2014),availableathttps://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG5_Remediation_of_Server-Based_DDoS_Attacks_Report_Final_(pdf)_V11.pdf(accessedJune20,2017). 10Messaging,MalwareandMobileAnti-AbuseWorkingGroup,M3AAWGIntroductiontoReflectiveDDoSAttacks(May2017),availableathttps://www.m3aawg.org/sites/default/files/m3aawg-reflective-ddos-attack-intro.pdf(accessedJune20,2017).


11

botsleveragethislimitationandconsumeallthestatecapabilitiesbyopeningmanyconnections

andnotfullycontinuingthoseconnectionstocompletion.

ControlplaneattacksleveragethelimitationsoftheinternetprotocolssuchastheBorderGatewayProtocol11(BGP),IPv6,12andDNSprotocol.13

AchallengewithalltypesofDDoSattacks--especiallyforISPs--isidentifyingthem.Cyber

criminalsarerapidlydevisingmoresophisticatedbotnets,makingithardertodistinguishbad

trafficfromgoodtraffic.Theearliestformsofbotsoftentransmittedtheirmessagesinclear-text,onwell-knownports,tohard-codedIPaddresses,therebymakingthetrafficbotheasyto

identifyandtoblock.Increasinglybotsmasqueradetheirtrafficasapplication--leveltraffic(e.g.,

theymakeitlooklikeregularwebtrafficorencryptedwebtraffic,usepeer-to-peertechniquestoavoidasinglepointoffailure,oruseVPNstoencryptandtunneltheirtraffictoevade

detection).

TheMiraibotnetattackalsoleveragedthefactthattherearemillionsofIoTdevicesalloverthe

globe,andtheattacktrafficwasgeneratedfromthefarcornersoftheinternet,sourcedatthevictims’locations.Level3ThreatResearchLabsreportedthatitobservedoveramillionIoT

devicesparticipatinginbotnetattacks,andalargepercentagewerelocatedinTaiwan,Brazil,

andColumbia.14ThechallengeforanISPindetectingandblockingthistrafficisthatitdoesnot

originateontheISP’snetworkandmayonlytransitaportionofthenetwork,ifittransitsitatall.Andeveniftherearebotsonthenetworkoriginatingtraffic,thevolumeoftrafficfromthe

botsmaynotbehighenoughtodetectonthenetwork.

Botnetattacktrafficmaylookentirelynormal.Muchofitisreflectiveamplifiedattacks(which

offerthebestbangforthebuck),frequentlyusingwellknowncommonservicessuchasDNS,networktimeprotocol(NTP),andHTTP.

11K.Butler,etal,ASurveyofBGPSecurityIssuesandSolutions,ProceedingsoftheIEEE98,no.1(Jan.2010),atp.100-122(doi:10.1109/jproc.2009.2034031). 12Cisco,IPv6ExtensionHeadersReviewandConsiderations[IPVersion6(IPv6)],(Oct.10,2006),availableathttp://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html(accessedJune30,2017). 13SuranjithAriyapperuma,andChrisMitchell,SecurityvulnerabilitiesinDNSandDNSSec,ProceedingsofProceedingsofTheSecondInternationalConferenceonAvailability,ReliabilityandSecurity,ARES2007,TheInternationalDependabilityConference-BridgingTheoryandPractice,Austria,Vienna,availableathttp://web.mit.edu/6.033/www/papers/dnssec.pdf(accessedJune30,2017). 14Level3ResearchLabs,AttackofThings!,availableathttp://www.netformation.com/level-3-pov/attack-of-things-2(accessedJune20,2017).


12

TherearehundredsofdifferenttypesofattackswithinthefiveDDoSattackcategories.Mirai

itselfhasaboutadozenDDoSattacksprogrammedintoit.Thebotnetspreadbyscanningfor

opentelnetports(transmissioncontrolprotocolport23).Telnetisacleartextprotocolandisextremelyinsecureandshouldnotbeusedovertheinternet,butthisisexactlyhowMiraiwas

spread.DuringtheDynDNSattack,MiraiusedDNS“watertorture,”15whichitproxiedthrough

severalwell-knownopenresolvers(Google8.8.8.8,forexample).Theattackonthe

KrebsonSecurity16websitewasdesignedtoappearlikethegenericroutingencapsulation(GRE)protocol.17Bothattackscouldhavebeenblockedbyupstreaminternettransitproviders.Inthe

caseoftheDynattack,networkserviceprovidersandtheComm-ISACreachedouttoDynto

offerassistance.

TheKrebsonSecurityattackbeingGRE-basedcouldhavebeenblockedbymostISPs.TheDyn

trafficwasproxiedbywell-knownopenresolvers,soratelimitingthattraffictowardstheDyn

IPscouldhavemitigatedmostoftheeffectsofthatattack.Brobot,whichaffectedmanyU.S.

financialsystems,usedHTTPandHTTPSformostofitsattacks.Blockingitwouldrequirecontentexaminationandfiltering,somethingISPsgenerallydonotdoandcannotdoforHTTPS

withoutholdingtheend-user’sprivatekeys.Malicioustrafficthatisencrypted(e.g.,HTTPS)

cannotbefiltered.

Thelatestattacksillustratethesophisticationandscalethatbotnetshaveachieved.Botnetsaredetectable;thechallengeisstoppingthem.Thebestwaytostopthemistopreventtheir

spreadinthefirstplace.Therealchallengefortheinternetecosystemindealingwithbotnet

threatsistheremediationofinfectedend-points.Withouteitherremediatingtheend-pointor

disconnectingtheinfectedend-pointfromtheinternet,thethreatfromtheinfectedend-pointremains.Ensuringthatend-pointsarerunningthelatestsoftwarewiththelatestsecurity

patchesisarecognizedbestpracticeformitigatingthespreadofandthreatsfrommaliciousand

nefariousbots.

15DNSwatertortureisanattacktypewheremanyend-pointssendqueriesforavictim’sdomainwitharandomstringprependedtothedomainthatoverwhelmsthevictim’sauthoritativeDNSserverandmakingthevictim’sdomaininaccessible.16See,https://krebsonsecurity.com.17KrebsonSecurity,KrebsOnSecurityHitWithRecordDDoS(Sept.21,2016),availableathttp://krebsonsecurity.com/tag/gre-ddos/(accessedJuly16,2017).


13

MostBotnetTrafficOriginatesOutsidetheUnitedStates

Thethreatlandscapefrombotnetscontinuestoevolve.Accordingtothreatintelligence

companies,notabletrendsidentifiedinthethreatlandscapein2016arethat:1)insecureIoT

devicesareabigsourceofDDoSattacktraffic;18and2)thevastmajorityoftheattacktraffic

originatesfromoutsidetheUnitedStates.19

In2016,attacksfromIoTdevicesmadeheadlineswiththeMiraibotnetattacksfromimproperly

securedsecuritycamerasandtheirclosed-circuitTV(CCTV)recorders(DVRs).AsnotedbyLevel

3ThreatResearchLabs,manyoftheinsecurecamerasandDVRswerelocatedinTaiwan,Brazil,

andColumbia.20Shodan,21asearchenginethatletstheuserfindspecifictypesofIoTandotherdevicesthatareconnectedandvisibleonthepublicinternet,reports(asofJuly2017)300K+

susceptibleHikvisiondevicesconnecteddirectlytotheinternet,withthevastmajorityofthose

deviceslocatedinBrazil(45,000),India(36,000),China(34,000),Mexico(25,000),andSouth

Korea(20,000).22

Whileattributingtheexactsourceofbotnetattacksisdifficult,itisalmostalwayspossibleto

determinethesourcecountryofthetraffic.Numerousreports23indicatethattheleading

sourcesofattacktrafficareChinaandothercountriesinSoutheastAsia(e.g.,Vietnam,Taiwan,

andThailand).24

Thisisconsistentwithanearlierstudythatshowedastrongcorrelationbetweendevicesused

forbotnetattacksandthecountryinwhichthedevicesreside.Suchdevicesaretypically

runningsoftwarewithoutthelatestsecuritypatches.25Inonestudy,researchersanalyzedsix

18Akamai,StateoftheInternetSecurityQ42016Report(Winter2016),availableathttps://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q4-2016-state-of-the-internet-security-report.pdf(accessedJune20,2017). 19Incapsula.com,GlobalDDoSThreatLandscapeQ12017(Spring2017),availableathttps://www.incapsula.com/ddos-report/ddos-report-q1-2017.html(accessedJune20,2017). 20Level3ResearchLabs,AttackofThings!,availableathttp://www.netformation.com/level-3-pov/attack-of-things-2(accessedJune20,2017).21Seeshodan.io(Shodanscanstheinternetindexingdevicesthatrespondtoportscansonport80,8080,443,8443,21,22,23,161,5060,554,andotherwell-knownports).22Shodan,Searchof“Hikvision,”availableathttps://www.shodan.io/search?query=hikvision(accessedJune20,2017).23SeeAppendixAofthispaperfordatafromdifferentthreatreports.24Incapsula.com,GlobalDDoSThreatLandscapeQ12017(Spring2017),availableathttps://www.incapsula.com/ddos-report/ddos-report-q1-2017.html(accessedJune20,2017).25HadiAsghari,MichaelCiere,andMichaelJ.G.VanEten,Post-MortemofaZombie:ConfickerCleanupAfterSixYears,InUSENIXTheAdvancedComputingSystemsAssociation,Proceedingsof24thUSENIXSecuritySymposium,Washington,D.C.(Aug.2015),availableathttps://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-asghari.pdf(accessedJune20,2017).


14

yearsoflongitudinaldatafromthesink-holeofConficker,oneofthelargestbotnetseverseen,

toassesstheimpactonbotnetmitigationofnationalanti-botnetinitiatives,aimedatgetting

end-userstocleaninfectedend-usermachines.Theyfoundthatpeakinfectionlevelsstronglycorrelatewithsoftwarepiracy.Thisimpliesthatcountrieswithahighernumberofend-users

runningunlicensedcopiesofsoftwaretendtohavehighernumbersofbotsbecausethose

assetshavealowerpercentageofregisteredusersgettingsecuritypatches.

AsimilarpatternwasseenwiththeMiraibotnet,whichexploitedthefactthataclassofIoTdevicesshippedwithwell-known,defaultlogincredentialsthatend-usersrarelychange.

Vulnerabilitieswithatleastoneofthemanufacturerswerereportedasfarbackas2013.26Only

aftertheMiraibotnetattackwasreporteddidthemanufacturerinquestionprovideafirmwareupdatetoaddressthevulnerabilities,and,eventhen,itrequiredmanualinterventionbydevice

end-userstoupdatethefirmware,asthedevicesdidnotsupportanautomatedmannerfor

securelyupdatingtheirsoftware.

CurrentToolsandTechniques

ApplicationofCybersecurityFrameworkagainstBotnets

TheCybersecurityFramework,developedbyNationalInstituteofStandards&Technology(NIST),27isavoluntaryrisk-based“setofindustrystandardsandbestpracticestohelp

organizationsmanagecybersecurityrisks.”TheFrameworkiscomposedoffivefunctionalareas

–1)Identify,2)Detect,3)Protect,4)Respond,and5)Recover.TheleadingISPsusethe

Frameworkaspartoftheiroverallcyberriskmanagementprocessestoaddressthethreatsposedbybotsandbotnetsagainsttheirnetworks.

Identify

IntheFramework,thefirststepisidentifyingbothwhatneedstobeprotectedandwhatarethe

cyberthreats.TheFederalCommunicationsCommission’s(FCC)CommunicationsSecurity,

26DepartmentofHomeland(DHS)SecurityOfficeofCybersecurityandCommunications,VulnerabilityNoteVU#800094-DahuaSecurityDVRscontainmultiplevulnerabilities(Dec.4,2013),availableathttp://www.kb.cert.org/vuls/id/800094(accessedJune20,2017). 27NationalInstituteofStandardsandTechnology,CybersecurityFramework(May25,2017),availableathttps://www.nist.gov/cyberframework(accessedJune20,2017).


15

ReliabilityandInteroperabilityCouncil(CSRIC)IVWorkingGroup4finalreport,Cybersecurity

RiskManagementandBestPractices,providesimplementationguidanceontheuseofthe

Frameworkfornetworkserviceproviders.ISPs,aspartofthecriticalinfrastructure,haveidentifiedthattheyneedtoprotecttheircorenetworksfromcybersecuritythreatssuchasbots

andbotnets.ISPsmayalso,aspartofamanagedsecurityservice,protecttheircustomersfrom

theharmsofcyberthreats.

Inadditiontoidentifyingwhatneedstobeprotected,networkserviceprovidersusetheFrameworkandothertoolstoidentifythethreats.Thefirststepisidentifyingtheattack

surfacesoftheassetstobeprotectedandthenidentifyingtheknownattackvectors.This

informationiscontinuouslysynthesizedwiththreatintelligencedatatoensurecomprehensivecoverageandtoidentify,andultimatelyaddress,newvulnerabilities.Obtaininghigh-quality

cyberthreatdataisoneofthemostimportantaspectsofimplementingandrunningastrong

botnetmitigationprogram.Fortheprogramtobeeffective,nearzerofalsepositivedatais

needed.Falsepositivescangreatlyincreaseanetworkserviceprovider’soperatingcosts,impactitscustomersatisfaction,anddamageitsbrand.AsoutlinedintheCSRICVWorking

Group5reportonCybersecurityInformationSharing,28networkserviceprovidershave

developedaninformationsharingecosystemtobothuseandsharecyberthreatindicator

informationfromanarrayofsources,toidentifybotnetsandtheirassociatedthreats.Includedinthisecosystemaretrustedthird-party(TTP)datafeeds,informationfromDHSincludingits

AutomatedInformationSharing(AIS)system,andinter-sectorinformationsharing.

Detect

AsoutlinedintheFramework,detectionofthreatsandattacksisthenextstepinprotecting

networksfrombotnetattacks.Asdescribedearlier,botnetattackscomeinmanyforms,so

detectingthemrequiresanarrayoftoolsandtechniquestailoredforeachkindofattack.Regardlessofthetypeofbotnetattack,networkserviceprovidersuseacoresetoftechniques,

includingpacketsampling,signatureanalysis,andheuristicorbehavioralanalysis.

Manybotnetsattempttodisguisetheirtrafficasnormalinternettraffic.Thismakesit

particularlydifficulttodetecthighlydistributedbotnetsorlow-volumetrafficbotnets,asthe

28FCCCSRICV,WorkingGroup5:CybersecurityInformationSharing,FinalReport(Mar.15,2017),availableathttps://www.fcc.gov/files/csric5-wg5-finalreport031517pdf(accessedJune20,2017).


16

trafficwillbebelowthealarmthresholdsonanysingleoperator’snetwork.Forexample,during

theMiraiDynDNSwaterboardingattack,theattackersproxiedtheirrequeststhroughwell-

knownopenDNSresolvers.29

Protect

Networkserviceprovidersuseavarietyoftechniquestoprotecttheirnetworksfromattacksandundertakemeasurestohelptheircustomersprotectthemselvesfromattacks.

Networkserviceprovidersusedifferentfilteringtechniquestodirectlyprotecttheirnetwork

infrastructure(e.g.,routers,servers).BotsoftenspoofthesourceIPaddressintheattack

packets.Thisistypicallyseeninnetworkreflectionattacks,butasseeninhighvolumeattackssuchastheMiraibotnetorDynattack,thiscanbeaccomplishedevenwithoutIPspoofing.

Regardless,asabestcommonpractice,most,ifnotall,networkserviceprovidersperform

networkfilteringforspoofedIPaddresses.30

NetworkserviceprovidersalsouseacombinationofotherfilteringtechniquessuchasAccessControlLists(ACLs),trafficpolicing,blackholing,andsinkholingintheirnetworkstofilter

knownbotnettraffic.ThesetechniquescanbeeffectiveforneutralizingtheC&Ctrafficfor

client-serverbotnets.Thisislesseffectiveagainstmoreadvancedbotnetsthatusepeer-to-peerarchitecture,encryption,and/orfastfluxDNStechniquesfortheirC&Cchannel.Fastfluxisa

DNStechniqueusedbybotnetstohidephishingandmalwaredeliverysitesbehindanever-

changingnetworkofcompromisedhostsactingasproxies.

NetworkserviceprovidersalsohavemadelargeinvestmentsinDDoSscrubbingsystemsto“scrub”outDDoSattacksagainsttheirnetworksandtheircustomerswhohavepurchasedDDoS

mitigationservices.DDoSscrubbingsystemsrelyupondivertingthevictim’strafficthroughthe

scrubber“on-demand”tofilteroutattacktrafficfromgoodtraffic,andthenplaceitbackonthe

provider’snetworktosendittoitsoriginaldestination.Networkserviceprovidersuseacombinationofin-housescrubbingsystemsandthird-partyscrubbingsystemsviacontractswith

29ScottHamilton,DynAnalysisSummaryOfFridayOctober21Attack,DynBlog(Oct.26,2016),availableathttp://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/(accessedJune20,2017). 30P.FergusonandD.Senie,NetworkIngressFiltering:DefeatingDenialofServiceAttackswhichemployIPSourceAddressSpoofing,BestCurrentPractice(BCP)38(May2000),availableathttps://tools.ietf.org/html/bcp38(accessedJune20,20170;F.Baker,andP.Savola,IngressFilteringforMultihomedNetworks,BCP84(Mar.2004),availableathttps://tools.ietf.org/html/bcp84(accessedJune20,2017);andMutuallyAgreedNormsforRoutingSecurity(MANRS),Participants(Mar.6,2015),availableathttps://www.routingmanifesto.org/participants/(accessedJune20,2017).


17

thirdpartyDDoSmitigationproviders.However,networkserviceprovidersdonothavethe

capacitytoscruballtrafficallofthetime.

Inadditiontoscrubbingtraffic,manyprovidersusetheFlowspec31capabilitiesofBGPtodynamicallyblockeasilyidentifiabletrafficontherouter.Thetrafficisusuallyblockedusingthe

basicfive-tupleofvaluesfoundinIPFIX32(sourceanddestinationIP,sourceanddestination

port,andprotocol).FlowspecisadvantageousinthatBGPupdatescanbemadeandwithdrawn

fairlyquicklyinthenetwork,allowingforfastermitigation.

Networkserviceprovidersalsocanprovidespecifictoolsandservicestotheircustomersto

protectthemselves,includingend-pointanti-virussoftwareandhomegatewayswithintegrated

security.33LargeISPcustomersoperatingstubnetworksoredgeprovidersalsocanuseatechniquetomitigateDDoSattacksknownasAnycast,whichallowsmultiplehostsorend-points

tohavethesameIPaddress.Bygeographicallydistributingthesehosts,themagnitudeofthe

DDoSattackneedstobesignificantlylargertoaccountforthedistributedhostsandsucceedat

disruptingthesiteorservice.AnycastservicescanbedeployedbyedgeprovidersorpurchasedfromDDoSmitigationpartners.

Severalnetworkserviceprovidersalsoofferasuiteofmanagedsecurityservicesincludingbut

notlimitedtotheDDoSscrubbingservicesmentionedabove.Thesecanincludecapabilities

suchasnetworkbasedfirewalls,mobiledevicemanagementservices,threatanalysisandeventdetection,secureVPNconnectivitytothecloud,andwebandemailsecurity.

Respond&Recover

Today,asoutlinedintheCybersecurityFramework,whenanetworkserviceproviderdetects

malicioustrafficfromaboteitheronitsnetworkortowardanend-pointonitsnetwork,it

respondsandrecoversasnecessary.Theresponseconsistsofmitigatingtheimpactfromthe

malicioustraffic,and,ifnecessary,remediatingtheinfectedend-point.

Tomitigatethemalicioustraffic,thenetworkserviceprovidermustfirstdeterminethescopeof

theimpactfromthemalicioustraffic.Formalicioustrafficthatisimpactingitsnetworkorits

31LeonardoSerodio,TrafficDiversionTechniquesforDDoSMitigationusingBGPFlowspec(May2013),availableathttps://nanog.org/sites/default/files/wed.general.trafficdiversion.serodio.10.pdf(accessedJuly7,2017). 32B.Claise,B.Trammell,andP.Aitken,SpecificationoftheIPFlowInformationExport(IPFIX)ProtocolfortheExchangeofFlowInformation,IETFTools(Sept.2013),availableathttps://tools.ietf.org/html/rfc7011(accessedJuly7,2017). 33McAfee,McAfeeWebGateway,availableathttps://www.mcafee.com/us/products/web-gateway.aspx(accessedJuly7,2017).


18

abilitytodeliverservice,thenetworkserviceproviderwillneedtoworktofilteroutthe

malicioustrafficusingoneofthefilteringtechniques(e.g.,ACL,blackhole,sinkhole,orscrub)

describedearlier.Inaddition,ifthemalicioustrafficisinboundtowarditsnetwork,thenetworkserviceprovidermaycontacttheupstreamnetworkandaskittofilterthetrafficemanating

fromthatnetwork.

Formalicioustrafficthatisdeterminedtobeemanatingfromacustomerend-pointonits

network,thenetworkserviceprovider,asrecommendedinthevoluntaryAnti-BotCodeofConductforInternetServiceProviders(ABCforISPs)34will:

• Detect–identifyanddetectbotnetactivityintheISP’snetworkoronbehalfofenterprisecustomerswhohavepurchasedservicesfromtheISPtodeterminepotential

botinfectionsonend-userdevices;

• Notify–notifyend-users,includingpotentiallybothconsumersandenterprisebusinessclientsofsuspectedbotinfections;

• Remediate–provideinformationtoend-usersabouthowtheycanremediatebotinfectionsand/oractivelyassistenterprisebusinessclientsinremediatingtheimpactsofbotnets;and

• Collaborate–providefeedbackandexperienceslearnedtootherISPs.

EmergingSolutionsTheinternetecosystemiscontinuingtoimproveitsabilitytomitigatetheattacksfrombotnets.Effortsareunderwaytoimprovebothdetectionandmitigationcapabilities.

TechnologicalApproaches.Alargenumberofmalwareusesatechniqueknownasadomain

generationalgorithm(DGA)toperiodicallygeneratealargenumberofdomainnamesthatcan

beusedasrendezvouspointsfortheirC&Cserversinanattempttoobfuscatethebotnet’strueinfrastructure.Currently,securityinvestigatorscanworktoreverseengineertheDGAusedby

eachvariantofmalware.Thereverseengineeringcanbeatime-consumingprocess,andis

oftenanineffectivewhack-a-moleapproach.Toaddressthisissue,industryhasbeeninvestigatinghowtoapplymachinelearningtoautomatetheprocessandworkinreal-timeas

34MessagingMalwareMobileAnti-AbuseWorkingGroup(M3AAWG),ABCsforISPs,availableathttps://www.m3aawg.org/abcs-for-ISP-code(accessedJune20,2017).


19

themalwareregistersdomainnameswithaninternetregistry.Effortsareunderwayto

commercializeandintegratemachinelearningforbotnetdetectionintonetworkprotection

products.

Newerbotnetsnowoftenuseencryption(e.g.,TLS35)tohidetheirC&Cchannel.TheSecure

SocketsLayerSSLBlacklist(SSBL)project36illustratesthateventhoughthebotnetisusing

encryption,itisstillpossibletodetectthebotnet.Itispossibletoidentifythebot’sC&Ctraffic

byinspectingthemaliciousSSLcertificatestogenerateauniqueSHA-137fingerprintforeachbotnetusingdeeppacketinspection(DPI).Effortsareunderwaytocommercializethisapproach

andintegratethemethodsintonetworkprotectionsystemstoallowforreal-timefingerprinting

andmitigationofbotnets.

Inaddition,researchersaredevelopingtheuseoftarpitsatnetworkscaletoslowthe

propagationofbotnets.38ResearchersareinvestigatinghowtoturnunusedIPaddressspace

intobotnettarpits.39Thebasicideaistorouteallinboundtrafficthatisaddressedtothe

unusedIPaddressestothetarpit.Thetarpithasasetofprogrammedrulesforhowtorespond,andtherebyextendsthetimeittakesforabotnettoworkitswayupthekillchain.40By

extendingthetime,thetargetsoftheattackhavemoretimetodeterminewhatadditional

defensivemeasuresneedtobeputinplacetoneutralizetheattack,ifany.

Inadditiontotarpits,networkprovidershaveundertakeneffortstodeterminehowtoleveragethefeaturesofSoftwareDefinedNetworks(SDNs)tohelpmitigateattacksfrombotnets.SDNs

providethecapabilitytodynamicallycreateoverlaynetworks.Whencombinedwithother

networkpartitioningtechniquesandtechnology,itbecomespossibletodynamicallycreate

virtuallanesforthedifferentIP-basedservices.Withthisapproach,IoTproviderscanworkwithnetworkserviceproviderstocreateend-to-endvirtuallanesfromtheIoTdevicethroughthe

networktothecloud-basedservice.ThisprocessensuresacompromisedIoTdevicecannot

35E.RescorlaandN.Modaugu,DatagramTransportLayerSecurityVersion1.2,IETFTools(Jan.2012),availableathttps://tools.ietf.org/html/rfc6347 (accessedJune20,2017). 36SSLBlacklist,SSLBlacklist,availableathttps://sslbl.abuse.ch/blacklist/(accessedJune20,2017). 37SHA-1–SecureHashAlgorithm1isacryptographichashfunctionthatgeneratesa20bytehashkeyusedbymanysecurityapplicationsandprotocolsincludingTLSandSSLaspartofencryptingdata.38Labrea,TomListonTalksaboutLabrea,availableathttp://labrea.sourceforge.net/Intro-History.html(accessedJuly17,2017). 39Tarpitsaredefensivemeasuresagainstattackswheretheserverpurposelydelaysincomingconnectionstomakespammingandbroadscanninglesseffective.40EricHutchins,MichaelCloppert,andRohanAmin,Intelligence-DrivenComputerNetworkDefenseInformedbyAnalysisofAdversaryCampaignsandIntrusionKillChains,CNDPapers(Nov.21,2010),availableathttp://papers.rohanamin.com/?p=15(accessedJuly7,2017).


20

communicatewithunauthorizedendpoints.Inotherwords,acompromiseddevicecouldnotbe

usedinaDDoSattackorsendinformationtonon-authorizedhosts.TheNetworkSlicingfeature

in5Gnetworksisagoodexampleofthis,41andsimilarapproachesarebeinginvestigatedforSDN-enabledwirelinenetworks.

CollaborationInitiatives.Severalindustry-ledinitiativesareunderwaytoimproveautomated

cyberthreatinformationsharing.TheCybersecurityInformationSharingAct(CISA),enactedin

2015,andthesubsequentrolloutoftheDHSAutomatedInformationSharing(AIS)capabilityarehelpingtofacilitatemachine-to-machine(M2M)initiatives.

ThereareatleasttwootherautomatedM2Msharinginitiativesthatmaybeusefulin

combattingbotnets.Bothhaveacommongoalofensuringthatthecyberthreatinformationbeingsharedis“actionable”bytherecipient.Theparadigminthepastoftenhasbeenfor

networkstotrytobuildbetterprotectionattheirnetworkingresspoints.Theseinitiativesshare

informationwithneighboringnetworkstomitigatethethreatasclosetothesourceofthe

malicioustrafficaspossible.

TheInternetEngineeringTaskForce(IETF)isdevelopingaprotocolcalledDDOSOpenThreat

Signaling(DOTS)42forthereal-timeexchangeofDDoS-relatedtelemetrybetweenDDoS

mitigationnetworkelements.TheIETFDOTSprotocolisworkingtoimprovethecooperation

betweenDDoSattackvictimsandpartiesthatcanhelpinmitigatingsuchattacks.TheprotocolwillsupportrequestsforDDoSmitigationservicesandstatusupdatesacrossinter-organizational

administrativeboundaries(e.g.,network-to-network).

TheMessagingMalwareMobileAnti-AbuseWorkingGroup(M3AAWG)DDoSspecialinterest

group43membersarecollaboratingonasimilarendeavor.M3AAWGisdevelopinganapplicationprograminterface(API),datastore,andopensourcereferenceimplementationsfor

networkserviceproviderstoshareDDoSthreatindicatorsforthepurposeofidentifyingsources

ofDDoSattacktraffic,butnotformitigatingattacksinrealtime.M3AAWG’sapproachallowsnetworkserviceproviderstosharethesourceIPaddressesfortheinboundIPflowsthattheir

DDoSdetectionsystemsidentifyinananonymousfashionwiththenetworkonwhichtheDDoS

41See5GAmericas,NetworkSlicingfor5GNetworks&Services,availableathttp://www.5gamericas.org/files/3214/7975/0104/5G_Americas_Network_Slicing_11.21_Final.pdf(accessedJuly7,2017).42IETF,DDoSOpenThreatSignaling(dots),availableathttps://datatracker.ietf.org/wg/dots/about/(accessedJune20,2017). 43M3AAWG,M3AAWGIssuesNewPapersExplainingPasswordSecurity,MultifactorAuthentication,EncryptionUseandDDoSSafeguards;AnnouncesLeadershipandCommitteeChairs,PressRelease(Apr.4,2017),availableathttps://www.m3aawg.org/news/rel-leadership-papers-2017-04(accessedJune20,2017).


21

attackoriginated.ThisallowsnetworkoperatorstocleanupthesourcesofDDoSattacktraffic.

BysharingonlythesourceIPaddress,thisapproachiscompatiblewithmostoftheglobal

privacylawswithrespecttothesharingofidentifiableinformation.

ChallengesandOpportunitiesCybersecurityissharedresponsibility.Reducingthethreatsfrombots,botnets,andtheirautomatedattacksrequiresthecooperationandcollaborationbyallmembersoftheinternet

ecosystem.Thissectionidentifiesanumberofareaswherethethreatspresentedbybotsand

botnetscanbereducedwithbettercooperationandcollaborationbymembersoftheinternetecosystem.

BotnetTakedowns

Challenge–Notechniqueismoreeffectivethanlawenforcementactionsthatleadtothearrest

oftheperpetrators.Thisistheonlysolutionthataddressestherootcauseoftheproblem,andnotjustasymptom.Unfortunately,executingabotnettakedownrequiressignificantupfront

forensicanalysisandcarefulcoordinationamongmanystakeholders,oftenacrossinternational

borders.Alimitingfactorintheoverallvelocityofbotnettakedownsisthelackoflaw

enforcementresources.Theotherchallengeisthatmostbotnetsareinternationalinnature,requiringresource-intensiveandtime-consumingcooperationbetweennations.

Opportunity–Additionallawenforcementresourcesandstreamlininginternationalprocesses

wouldaidtheoverallbotnettakedownprocess.

ActionableCyberThreatInformation

Challenge-Networkserviceprovidersmusthavebothaccurateandactionablecyberthreat

informationtobeabletoquicklyneutralizebotnets.Forinformationtobeactionable,thecyber

threatindicatorhastobecorrelatedtoasingleend-point.Manyofthedatafeedsusedandsharedbyenterprisearelong-termIPreputationlistsoflittlevaluetonetworkserviceproviders

thatoperatenetworkswithalargesetofsubscribersthathavedynamicallyassignedIP

addresseswithshortleases.Thismeansthecyberthreatindicatormustbetimelyandeither

includethecurrentIPaddressortheIPaddressandatime-stampofthemaliciousactivity.


22

ThesameistrueforIPaddressesofthebotnetC&Cservers.C&Cserversoftendonothavea

staticIPaddress.OftentheC&CserversareonsharedhostswhereasingleIPaddressisshared

bymultiplehosts.Inaddition,theC&CserversmayhaveapoolofIPaddressesorsharedhoststhattheyrotatethrough.

Networkserviceprovidersneedasingle,highlyreliable,near-termindicationthatanIPaddress

hasgeneratedmalicioustrafficorhasbeenscannedtoshowexposedvulnerableservices,as

wellasthecompromisedhosts.

Opportunities-Expertsagreethatcyberthreatinformationneedstobetimelyandtargetedto

beeffective.ThecyberinformationsharinginitiativesoftheIETF’sDOTSWorkingGroupand

theM3AAWGDDoSSIGarestepsintherightdirection.DHS’sAIS44alsoprovidesanopportunitytoimproveandenhancethetimelyandtailoredsharingofcyberthreatindicators

tomeetrecipients’needs.

NetworkAddressTranslation

Challenge–WirelineISPsoperatingIPv4networkstypicallyprovidearesidentialsubscriberwithasinglepublicIPv4address.Theresidentialsubscriberoftenusesahomerouterthatincludesa

networkaddresstranslation(NAT)function,whichallowsthemtosharetheironepublicIPv4

addresswithmultipledevicesinthehome.

WhenanISPreceivesinformationaboutaresidentialsubscribersendingmalicioustraffic,thatinformation,atbest,canonlycontaintheIPv4addressassignedtothecustomerandnotthatof

theactualend-pointbehindthehomerouter.TheuseofNATtechnologymakesitdifficultfor

theISPtoidentifythespecificdeviceinthesubscriber’shomethatissendingmalicioustraffic.

Opportunity-IPv6eliminatestheneedtouseNATforIPaddresssharing,aseverydeviceconnectedtotheinternetcanhaveapubliclyroutableIPv6address.Whilenotapanacea,the

eliminationofNATroutersmaymakeiteasiertoidentifyend-devicestransmittingmalicious

trafficundercertaincircumstances,andtofilterthesuspecttrafficappropriately.AsofJune

44DHS,AutomatedIndicatorSharing(AIS),availableathttps://www.dhs.gov/ais(accessedJune20,2017).


23

2017,IPv6adoptionbynetworkproviderswasapproximately19%globally,45and35%and

growingwithintheU.S.

Off-NetTraffic

Challenges-Aswidelydistributedglobalnetworks,mostbotsandtheirC&Cserversareoutside

thenetworkserviceprovider’snetworkandadministrativecontrol.Infact,numerousreports

makeclearthattheoverwhelmingmajorityofbotnettrafficoriginatesoutsidetheU.S.46

Furthermore,inmostcases,onlyasmallportionofanetworkserviceprovider’send-pointsmay

beinfectedbyanysinglebotnet,andtheamountoftrafficgeneratedbythebotnetonthe

networkwillbeminiscule.Thissmallamountoftrafficcanbeverydifficulttodetectasitwill

nottriggermanyofthenetworkmonitoringthresholdsthatanetworkserviceproviderhasinplace.

Opportunity-Toaddressbothofthesechallengesrequirescollaborationamongnetwork

serviceproviders,asoneofthemosteffectivemeasuresistofilterthetrafficasclosetothe

deviceinfectedwiththebot.Anytransitorpeeringagreementsshouldincludelanguagethataddressesavailabilityandscrubbingoftraffictoallowfornetworkoperatorstoaskthe

upstreamprovider(s)tofiltermalicioustraffic.

End-UserNotifications

Challenge-Notifyingandgettingend-userstotakeactioncontinuestobeachallenge.Therearemultiplewaysthatmembersoftheinternetecosystemcannotifyanend-user:47

• Email;

• Telephonecall;

• Postalmail;

45Google,IPv6Adoption(June18,2017),availableathttps://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption&tab=per-country-ipv6-adoption(accessedJune20,2017). 46Incapsula.com,GlobalDDoSThreatLandscapeQ42016(Winter2017),availableathttps://www.incapsula.com/ddos-report/ddos-report-q4-2016.html(accessedJune20,2017). 47MichaelGlenn,MalwareNotificationandRemediationToolsandTechniques,CenturyLinkpresentationtoNISTWorkshop:TechnicalAspectsofBotnet(May30,2012),availableathttps://www.nist.gov/sites/default/files/documents/itl/csd/centurylink_malware_notification_and_remediation.pdf(accessedJune20,2017).


24

• Textmessage;

• Webbrowsernotification;

• Walledgarden;and

• OtherMethods.48

AstudycommissionedbyM3AAWGtodeterminetheeffectivenessofvariousnotificationand

remediationmethodsshowedthatthetwomosteffectivemethodsareatelephonecalltothedeviceuserandpostalmail.49ThegrowinguseofIoTdevicesinhomespresentsnewchallenges

innotifyingend-users.IoTdevicesoftenhavelimiteduserinterfaces,thusnegatinganumberof

thenotificationmethods(webbrowser,walledgarden,etc.).ThisisfurthercompoundedbythefactthatanISPcanonlynotifyanend-userthat“adevice”intheirhomeisinfected,andcannot

identifythespecificcorrupteddevice.

Opportunities–Variousmeasuresexisttoimprovedeviceidentificationgoingforward.Better

designedIoTdevicesthatadheretoindustrystandardssuchasthosebeingdevelopedbytheOpenConnectivityFoundation(OCF)50isoneavenuetoimprovesecurity.And,asnotedearlier,

networkoperatorsupportforIPv6willaidinboththeidentificationoftheinfecteddevice,as

wellasnotifyingtheuserofthedevice.

FastFluxDNS

Challenge–Theuseoffastflux51bymalwareandbotnetstohidetheirinfrastructurecontinues

togrow.FastfluxisaDNStechniquewherenumerousIPaddressesassociatedwithasingle

domainnameareswappedinandoutwithextremelyhighfrequency.Fastfluxeffectivelyhides

thecomputersorserversthatareperformingthemaliciousattacksfrombeingdetected.FastfluxmakescuttingoffcontactofthebotstotheC&CserversdifficultorimpossiblebyIPaddress

filteringalone.

Opportunity–In2008,theICANNSecurityandStabilityAdvisoryCommittee(SSAC)publishedasecurityadvisorythatmadeanumberofmitigationrecommendationstoaddressfastfluxDNS

48Othermethodsmayincludesocialmediamessage,alerttotheTVviatheset-top-box,directdepositvoicemailmessage,etc.49GeorgiaTechResearchers,DNSChangerRemediationStudy,PresentationtoM3AAWG27thGeneralMeeting,SanFrancisco,CA(Feb.19,2013),availableathttps://www.m3aawg.org/sites/default/files/document/GeorgiaTech_DNSChanger_Study-2013-02-19.pdf(accessedJune20,2017).50SeeOpenConnectivityFoundation,availableathttps://openconnectivity.org/(accessedJune20,2017).51ICANNSecurityandStabilityAdvisoryCommittee(SSAC),SAC025SSACAdvisoryonFastFluxHostingandDNS(Mar.2008),availableathttps://www.icann.org/en/system/files/files/sac-025-en.pdf(accessedJune20,2017).


25

techniques.Amongitsfindingsandrecommendations,theSSACencouragedICANN,registries,

andregistrarstoconsiderthefastfluxmitigationpracticesintheadvisory.

Sincethattime,advancementsinmachinelearninghavebeenappliedtodetectingbotnetsusingfastfluxDNStechniques.Advancementsintheapplicationofmachinelearningtodetect

botnetsthataremakingchangestoDNSentriesenablesautomationandintegrationintobotnet

detectionsystems.

InsecureIoTDevices

Challenge–Asdiscussedthroughoutthispaper,thegrowinginstalledbaseofIoTdevicesis

makingsuchdevicesattractivetargetsforcybercriminalstoinfectwithbotcode.Agood

exampleistherecentMiraibotnetattack,inwhichunsecured,internet-connectedIoTsecuritycameraswereinfectedtogenerateamassiveDDoSattack.Thisisnotanewphenomenon;the

problemhasbeenaroundforyears,asforyears,manyconsumer-gradehomeroutersshipped

withknownvulnerabilitiesthathavebeenexploitedtogeneratelarge-scaleDNSamplification

attacks.

Thetypesofknownvulnerabilities52foundinmanyIoTdevicesonthemarkettodayinclude:

• ShippingIoTdeviceswithout-of-datesoftwarecontainingknownvulnerabilitiesandlackingthecapabilityforanautomatedsoftwareupdate;

• Protectiononlybyfactorydefaultorhardcodedusernamesandpasswords;

• Unauthenticatedcommunications;

• Unencryptedcommunications;and

• Lackofmutualauthenticationandauthorization.

InsecureIoTdevicespresentauniquechallengeasoncetheyarecompromiseditisoftenimpossiblefortheend-usertodetectthattheyhavebeencompromisedand,asnotedearlier,it

isdifficultforanetworkserviceprovidertonotifytheend-userthattheirdevicehasbeen

compromised.Evenaftertheend-userisawareofthecompromise,itisoftenimpossibleto

52BroadbandInternetTechnicalAdvisoryGroup(BITAG),InternetofThingsSecurityandPrivacyRecommendations(Nov.2016),availableathttp://bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf(accessedJune20,2017).


26

remediatetheproblemduetoeitherthelackofasoftwareupdateand/orlackofautomated

softwareupdates.

Opportunity-IoTdevicescanbebettersecuredthroughtheuseofnetwork/pathisolation.53Network/pathisolationtechniques(VPNs,VLANs,policybasedrouting,networkslicing,etc.)can

beusedtocreateindependentlogicaltrafficpaths.Theseindependentlogicaltrafficpaths

ensuretheIoTtrafficcanonlyreachthedesignatedendpoints.Thishelpstomitigatethe

impactsofanymalicioustrafficthatacompromisedIoTdevicemaysend.

Withtheadvancesinnetworkfunctionvirtualization(NFV)andSDNs,opportunitiesexistforIoT

manufacturerstodesigndevicestousenetwork/pathisolationtechniquesaspartoftheir

service.Additionally,opportunitiesexistfornetworkserviceproviderstooffernetwork/pathisolationasaservicetoIoTprovidersorend-usersfortheirIoTdevices.

AmplificationAttacks

Challenge-AnamplificationattackisatypeofDDoSattackthattakesadvantageofthefactthat

asmallquerysuchasaDNSquerycangenerateamuchlargerresponse.Whencombinedwithsourceaddressspoofing,anattackercandirectalargevolumeofnetworktraffictoatarget

system.TheasymmetricnatureofamplificationattacksmakesitthepreferredchoiceforDDoS

attacks.AmplificationattacksoftenleverageUDPbasedprotocolssuchastheDNSprotocol,

networktimeprotocol(NTP),charactergenerator(CharGEN),andquoteoftheday(QOTD).Approximately15internetprotocolsaresusceptibletoamplificationattacks.54Internet

engineersdevelopedanextensiontotheDNSprotocol,calledDNSSecurity(DNSSEC)toaddress

DNSvulnerabilitytoDNScachepoisoning.Unfortunately,asideeffectofthisfixisthatthe

securityextensiontoDNSmakestheDNSresponsesmuchlargerandhelpstofurtheramplifytheattack.

Theimplementationofsourceaddressvalidation(SAV)55asrecommendedinIETFBCP38/84

preventsamplificationattackswithspoofedsourceaddresses.AlthoughmostlargeU.S.

53Cisco,NetworkVirtualization--PathIsolationDesignGuide(July22,2008),availableathttp://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html(accessedJune20,2017). 54UnitedStatesComputerEmergencyReadinessTeam(US-CERT),UDP-BasedAmplificationAttacks,Alert(TA14-017A)(Nov.4,2016),availableathttps://www.us-cert.gov/ncas/alerts/TA14-017A(accessedJune20,2017). 55SAVhasbeenabestpracticebyISPsforalongtime(seeIETF2267publishedin1998),butduetothedifficultyofimplementingSAVinsomecommercialsituationsitmaynotbefullyimplementedacrossISPs’networks.


27

networkserviceproviders56haveimplementedsourceaddressvalidation,approximately30%of

theoverallIPaddressspaceisstillspoofable.57

Opportunity-TheuseofIPfilteringorsourceaddressvalidation(SAV)asoutlinedintheIETF’sbestcommonpractices(BCP)38and84forspoofedIPaddressesisaproventechniqueto

mitigateDDoSamplificationattacksusingspoofedsourceaddresses.

TheMutuallyAgreedNormsforRoutingSecurity(MANRS)58isanindustry-ledefforttocodifya

setofsharedvaluesfornetworkoperatorsintoasetofdefinitionsandidealbehaviors.MANRSrecommendstheimplementationofanti-spoofingfilteringtopreventpacketswithincorrect

sourceIPaddressesfromenteringorleavingthenetwork.Todate,over45networkoperators

areparticipatinginMANRS.TheopportunityexiststogetthespoofableaddressspacetonearzerowitheverynetworkoperatorparticipatinginMANRS.

Network-to-NetworkCoordinatedNetworkManagement

Challenge-Althoughnetworkmanagementmaysoundsimpleanddesirable,itisnotwithout

challenges,especiallygiventhenegativeimpactoninternetend-users.Ideallybotnetmitigationswouldbefastanddirectedatthesourceoftheattack.Advancementsinhow

networksarearchitectedusingSDNsandtheuseofautomatedM2Msharingofcyberthreat

indicatorsstarttomakeittechnicallyviablefornetworkoperatorstoautomatethecoordination

oftheirbotnetmitigationsandreducetheresponsetimetowheneitheramaliciousbotisdetectedonanetworkorabotnetisinitiatinganattack.Buttherearechallenges,rangingfrom

technicaltocontractual,andpolicyissues.

Thetechnicalchallengesincludebothdetectionandmitigation.Withoutasourceofground

truthforwhatisandisn’tbotnettraffic,givenbotnettrafficisoftendesignedtolooklikenormalinternettraffic,thereisthepotentialforfalsepositives.Evenwithasourceofgroundtruth,

botnetmitigationmethodswillvaryfromnetworktonetworkduetoinherentdifferencesin

56MANRS,Participants(Mar.6,2015),availableathttps://www.routingmanifesto.org/participants/(accessedJune20,2017). 57CenterforAppliedInternetDataAnalysis,StateofIPSpoofing,availableathttps://spoofer.caida.org/summary.php(accessedJune20,2017). 58MANRS,MutuallyAgreedNormsforRoutingSecurity(MANRS)Document(Sept.8,2016),availableathttp://www.routingmanifesto.org/manrs/(accessedJune20,2017).


28

howthenetworksaredesignedandbuilt,aswellasthedifferencesinservicelevelagreements

betweennetworkserviceprovidersandtheircustomers.

Blindlymitigatingbotnetsthroughtheuseautomationisfraughtwithrisks.Therearemanycaseswhereacommandandcontrolserverisnotownedorcompletelyunderthecontrolofthe

botoperatorsuchas:1)sharedserverDNS,2)sharedIPs,and3)publicwebsites.59Blindly

applyingabotnetmitigationmethodsuchasfilteringtheIPaddresswouldpreventallthe

servicesthatsharetheresource(e.g.,DNS,sharedserver,orservice)frombeingaccessible.Thechallengeisnotlimitedtosharedresources.Withoutfullknowledgeoftheservicelevel

agreementinplacebetweenthenetworkserviceproviderandcustomer,anetworkservice

cannotblindlyfilterthetraffictothatend-point.

Inaddition,withinthetelecom/ISPindustrythereisanemergingtrendtowardtheadoptionof

SDN,whichisstillinitsinfancy,butgenerallydescribestheautomationofmanagementand

orchestrationofnetworkassetsandservices.Typically,thisincludesthecouplingofbigdata

frameworksthatleverageadvancedanalyticsandmachinelearningtoserveasfeedbackloopsfortheseSDN-drivennetworkstopredict,recommend,andprescribeinanefforttoimprove

responsivenessandresilienceoftheirassetsandservices.Suchimplementationsvarywidelyin

termsofcapabilityandmaturityacrossproviders,andinmostcasesreflecthighlyprotected

intellectualpropertythatprovidesauniquelycompetitiveexperienceandofferings.Nevertheless,suchanecosystemcouldbeusedasanattackmitigationstrategy.

DeploymentofSDNandthesetoolsiswellbeyondtheconceptualstages;itisthecomplexity

andcostofglobalimplementationacrosshighlyheterogeneousnetworksthatstandas

obstaclestoproviders’speedinimplementingthem.

Opportunity–Bettercollaborationandcoordinationcanreducethetimethatittakesto

respondtocyberthreats.Asmentionedearlier,industryisdevelopingsolutionssuchastheIETF

DOTS,M3AAWGDDoSSIG’sinformationsharingpilot,andaninformationsharingpilotbeingledbyCTIAthatwillreducetheresponsetimebysharing“actionable”cyberthreatinformation.In

addition,asthreatinformationsharingplatformsmatureintheircapabilities,thiswillaidin

reducingnetworkoperators’responsetime.

59PublicwebsitesincludesiteslikeTwitter,AmazonAWS,GoogleCloud,andRapidshare.


29

Thekeyforanysuccessfulcoordinatednetworkmanagementagainstbotnetsisclose,trusted

collaborationandcommunicationsbetweenstakeholders.

IndustryRecommendationsThispapersetsforthsomeoftheproblemspresentedbybotsandbotnetsandthechallenges

andopportunitiesfacingtheownersandoperatorsofbroadbandnetworks.Thefollowingsectionfocusesonthepreliminaryrecommendationsthatmaybeactionablebynotonly

networkserviceprovidersbuttheentireinternetecosystemtohelpreducethethreatsfrom

botnetsusingexistingtechnology.ThepreliminaryrecommendationsherearefromtheCSCC’sperspective.Thereisaneedtodiscussbestpracticesandcapabilitiesforallsegmentsofthe

ecosystemincludingsoftwaredevelopersalongwithcloud,hosting,andapplication

infrastructureproviders.

AttackMitigation

• EncouragecontinuedmigrationtoallIPv6.

ThebroaduseofIPv6willallowdevicestohaveauniqueaddressandcanmakeiteasiertotrackdownthesourceofmalicioustrafficundercertaincircumstances.

• Ensurethatsharedcyberthreatinformationisactionableandtailoredtomeettheneedsofrecipients.

Cyberthreatinformationthatissharedbetweeninternetstakeholdersneedstobeactionablebytherecipients.Informationsharingpoolparticipantsshouldtailorthe

informationtheysharewiththeirpeerstobeactionable.

• Includepre-negotiatedprovisionsfortrafficfilteringintransitandpeeringagreements.

Networkserviceoperatorsofallsizes(ISPs,enterprises,governments,educationalinstitutions,etc.)andend-usersshouldensuretheyhaveprovisionsinplacewiththeir


30

internettransitprovidersandpeeringnetworkstoprovideforupstreamfilteringand

scrubbingofmalicioustraffic.

• Streamlinethelawenforcementbotnettakedownprocess.

Lawenforcementcanplayakeyroleinneutralizingbotnets.Effortsarenecessaryto

streamlinethelawenforcementprocesstoincreasethespeedandefficacyoflaw

enforcementbotnettakedowns.

• EncourageICANN,registries,andregistrarstoadoptthefastfluxmitigation

techniquesinSAC025SSACAdvisoryonFastFluxHostingandDNS.

TheinternetecosystemshouldencourageICANN,registries,andregistrarstoconsider

andadoptthefastfluxmitigationtechniquesintheSSACadvisory.

• Adaptandapplymachinelearningtothedetectionofbotnets.

Theinternetecosystemshouldmoveawayfrommanuallyreverseengineeringbotnet

domaingenerationalgorithmsandbeginapplyingmachinelearningtoautomatethereal-timedetectionofbotnetsusingfastflux,encryption,andothertechniquestomask

theirinfrastructure.

EndpointPrevention

• Ensureallend-pointsincludingIoTdevicesadheretoindustrydevelopedsecuritystandards.

Multipleindustry-ledeffortsareunderwaytodevelopsecuritystandardsforIoTdevices.IoTdevicemanufacturesandIoTserviceprovidersshouldworktoensureallIoTdevices

adheretotheirrespectiveindustrysecuritystandardsandbestpracticesforIoTsecurity.

• Ensureend-pointsarerunningup-to-datesoftware.

Asthesayinggoes“anounceofpreventionisworthapoundofcure.”Thisappliestoconsumer/customerend-pointsaswell.Ensuringthatallend-points(desktops,mobile,

IoT,etc.)arerunningup-to-datesoftwarewiththelatestsecuritypatchesandupdates


31

willhelptremendouslyinreducingthenumberofinfectedandcompromisedend-points

ontheinternet.

• IoTdevicesshouldusenetworkisolationand/ornetwork-basedfilteringtechniquesforanycommunicationstocloud-basedservices.

Networkisolationand/ornetworkbasedfilteringareproventechniquesforreducing

theabilityofarogueinternetend-pointfromdoingharm.60IoTdevicemanufacturers

andIoTserviceprovidersshoulddesigntheirproductsandservicestomakeuseofthese

techniques.

Conclusion

Cybersecurityisasharedresponsibility.Securingtheinternetfromthreatsfrombotnetsrequiresthecollaborationandcooperationofallmembersoftheinternetecosystem,both

domesticallyandinternationally.Thepreliminaryrecommendationsinthispaperrepresentjust

someofthemanywaysthatbotnetthreatsandtheircapacityforharmcanbereducedthrough

broadengagementbythestakeholders.

AbouttheAuthors

MattTooleyistheVicePresidentofBroadbandTechnologyatNCTA–TheInternetand

TelevisionAssociation.HeisamemberoftheCommunicationsSectorCoordinatingCouncil’s

ExecutiveCommittee.Tooleyhasover30yearsofexperienceinthebroadbandindustryin

developinganddeployingbroadbandtechnologyforinternetserviceproviders.

ThispaperincludeskeycontributionsfromAT&T,CenturyLinkandCoxCommunications.

60BITAG,InternetofThings(IoT)SecurityandPrivacyRecommendations(Nov.2016)atSec.6(discussing“Apossibleroleforin-homenetworktechnology”),availableathttp://bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf(accessedJune20,2017).


i

AppendixA-CyberThreatReports

Top10WorstBotnetCountries

Rank Country NumberofBots

1 China 1,375,637

2 India 958,814

3 RussianFederation 569,463

4 Brazil 429,942

5 Vietnam 380,639

6 Iran,IslamicRepublicOf 242,909

7 Argentina 177,701

8 Thailand 173,027

9 Mexico 145,516

10 C?* 141,684

Source:SpamhausasofJune29,2017.https://www.spamhaus.org/statistics/botnet-cc/

*Spamhausreportsthetenthcountryonthislistas“C?.”


ii

Top10BotnetTrafficAttackingCountries

Rank Country PercentageofAttackTraffic

1 China 50.8%

2 SouthKorea 10.8%

3 UnitedStates 7.2%

4 Egypt 3.2%

5 HongKong 3.2%

6 Vietnam 2.6%

7 Taiwan 2.4%

8 Thailand 1.6%

9 UnitedKingdom 1.5%

10 Turkey 1.4%

Source:IncapsulaGlobalDDoSThreatLandscapeQ12017.https://www.incapsula.com/ddos-report/ddos-report-q1-2017.html


iii

TopCountriesby%ofCountries’IPAddressesParticipatinginDDoSAttacks,Q1-Q4201661

Q12016 Q22016 Q32016 Q42016

Country %ofCountriesIPAddresses




SourceIPs SourceIPs SourceIPs SourceIPs

Turkey0.282%

Vietnam0.130%

U.K.0.036%

Russia0.078%

43,400 20,244 44,460 33,211

Brazil0.075%

China0.093%

Brazil0.025%

U.K.0.059%

36,472 306,627 81,276 72,949

China0.035%

Taiwan0.081%

China0.025%

Germany0.042%

115,478 28,546 81,276 49,408

SouthKorea

0.028%Canada

0.026%France

0.025%China

0.014%

31,692 20,601 23,980 46,783

U.S.0.005%

U.S.0.006%

U.S.0.004%

U.S.0.012%

72,598 95,004 59,350 180,652

Sources:

Akamai’sStateoftheInternetSecurityQ42016report.https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q4-2016-state-of-the-internet-security-report.pdf

Wikipedia contributors, "List of countries by IPv4 address allocation," Wikipedia, The Free Encyclopedia,https://en.wikipedia.org/w/index.php?title=List_of_countries_by_IPv4_address_allocation&oldid=776891748 (accessed July 17, 2017).

61ThenumberofsourceIPsparticipatinginDDoSattacksisfromtheAkamaiStateofInternetSecurityReportQ42016report.Thedatahasbeennormalizedforthepercentofacountries’assignedIPv4addressesfromIANAdataatthetimeofthewritingofthispaper.ThepercentagesmayvarysomefromthetimeoftheAkamaireport.


iv

AppendixB–ThreatsfromBotnets

ClickFraud

Websitesareoftenpaidforbyadvertisers.Advertiserspaybythenumberof“clicks”orvisitsto

theadvertiser’swebsite.Ifawebsiteoradvertisingbrokerisabletogenerateaperceptionthatmanypeoplearevisitinganad,itcompelstheadvertisertopayforeachofthosevisits.One

waytogeneratelotsofclicksistocommandabotnettogeneratethosevisits.

Emailspam,phishingemail,ormalwareemail

Botnetsareoftenusedtooriginateunsolicitedbulkemail,whichmayalsoincludedistributionof

malwareofvarioustypessuchasransomware,linkstophishingsites,andmalwareassociated

withbots.Botnetscanalsobeusedtosendmoremundaneunsolicitedsalespropaganda.

UnauthorizedNetworkGateway

Botswithinaprotectednetworkboundarysuchasanenterprisenetworkcanbecome

unauthorizedgatewaysintotheprotectedboundary,andcanbeusedtogainaccesstootherresources(dataorcomputers)withintheprotectedboundary(akalateralmovement).

DataTheft

Botscanstealdatafrominfecteddevicesthroughmeanssuchasnetworkmonitoring,key

logging,orscrapingdatafrommemoryordisk.Thisisfrequentlyaccomplishedbecausemany

botmemberssitwithinprivateandenterprisenetworksnexttoassetscontainingthevaluable

data.Agreatamountofdatathefttodayisaccomplishedwith“SpearPhishing”62attackswherevalidlookingemailsaresenttoapersonatacompanyandthatemailisusedtostealintellectual

propertyorbankinginformation,ortohostmalware.Atypicalattackmayconsistofthe“bad

guy”sendinganemailtoanadministrativeassistantorotherlowerlevelemployeethatlooks

likeitcamefromaseniorexecutive,wherebythe“executive”isaskingfortheemailrecipienttoresetapasswordbecausean“invoiceneedstobepaid”today.Therecipientwillresetthe

62FederalBureauofInvestigation(FBI),SpearPhishers(Apr.1,2009),availableathttps://archives.fbi.gov/archives/news/stories/2009/april/spearphishing_040109(accessedJuly17,2017).


v

passwordusingobfuscatedlinkscontainingmalwareintheemail.Thisallowstheinfectionto

beginandtheinstallationofAPT(AdvancedPersistentThreat)softwareconductsillegal

activities.

IllicitContentDistribution

Botsaresometimesconnectedtopeer-to-peerfilesharingnetworkstohelpstoreanddistributeillegalcontent.

Bruteforcepasswordguessing

Botnetsareusedforbruteforcepasswordguessing.Onemethoduseshighspeedpasswordguessingattemptsusingarandompasswordalgorithm,apassworddictionaryorapredefined

passwordlist.First,bruteforcingcanbeusedbyanindividualbotmemberasarecruitment

methodtoinfectotherdevicesbyscanningforanyassetswithaknownopenexposedportandthenimplementingoneofthebruteforcemethodsexplainedto“guess”thepassword.Second,

itcanbeusedbyabotorbotnettobruteforceanintendedtargetslogincredentialstogain

accesstotheprivilegeordatathecredentialprovides.

ProcessingTheft(e.g.,Bitcoinmining)

Duetothenumberofbotmemberstypicallyseeninbotnets,andtherisingpriceofcrypto

currency(e.g.Bitcoin),botnetsareveryfrequentlyseenbeingusedto“mine”forcoins.TheprocessforminingBitcoinsrequiresthesolvingofverycomplexmathequationswhichwhen

solved,awardtheminerasetnumberofcoins.Inordertobesuccessful,aminerneedsa

tremendousamountofcomputingpowertosolvetheseequationsintheleastamountoftime.

Thisiswhereabotnetcanbeextremelyuseful.Byharnessingthecomputingpowerofalargernumberofbotsand“commanding”thosebotstoactasminers,thebotnetownercanusethe

combinedprocessingofmanybotstomakeBitcoinminingverylucrative.

Botnetshavealsobeenusedtoharnessthecomputingpoweroftheinfecteddevicesinorderto

performBitcoinminingorotheractivitiesforthebenefitofthemaliciousactorsrunningthebotnetandnotthelegitimateownersofthecomputingresources.


vi

Glossary

AIS–AutomatedIndicatorSharing,TheDepartmentofHomelandSecurity(DHS)operatesafreeservicefortheexchangeofcyberthreatindicators.

Bot–Aprogramthatisinstalledonasysteminordertoenablethatsystemtoautomatically(or

semi-automatically)performataskorsetoftaskstypicallyunderthecommandandcontrolofaremoteadministrator(akabotmasterorbotherder).

Botnet–Anetworkofinternet-connectedend-usercomputingdevicesinfectedwithbotmalware,whichareremotelycontrolledbythirdpartiesfornefariouspurposes

Command&Control(C&C)–Aremotecomputerusedtocoordinatetheactionsofbots.

CTI–CyberThreatIndicatoristheinformationthatisnecessarytodescribeoridentifyan

attributeofacybersecuritythreat.

DDoS–DistributedDenialofServiceattackisanattempttomakeanonlineserviceunavailablebyoverwhelmingitwithtrafficfrommultiplesources.

DNS–DomainNameSystemisthehierarchicaldecentralizednamingsystemforresources

connectedtotheinternet.

DNSWaterTorture–Anattacktypewheremanyend-pointssendqueriesforavictim’sdomain

witharandomstringprependedtothedomainthatoverwhelmsthevictim’sauthoritativeDNSserverandmakingthevictim’sdomaininaccessible.

DOTS–DDoSOpenThreatSignalingisamethodbywhichadeviceorapplicationparticipatingin

DDoSmitigationmaysignalinformationrelatedtocurrentthreathandlingtootherdevicesorapplications.

ICANN–InternetCorporationforAssignedNamesandNumbersisthenonprofitorganization

responsibleforcoordinatingthemaintenanceandprocedurestheinternet’snamespace.


vii

IRC-InternetRelayChatisaninternetprotocolthatfacilitatescommunicatingintextusinga

client/serverarchitecture.

IoT-InternetofThingsistheumbrellatermtoreferencethetechnologicaldevelopmentin

whichagreatlyincreasingnumberofdevicesareconnectedtooneanotherand/ortothe

Internet.

IPv4–InternetProtocolversion4isthefourthversionoftheInternetProtocol(IP).IPv4isone

ofthecoreprotocolsandstillroutesmostInternettraffictoday.

IPv6–InternetProtocolversion6isthesixthversionoftheInternetProtocol(IP).IPv6isthe

mostrecentversionandwasdevelopedtoaddresstheanticipatedproblemofIPv4address

exhaustion.IPv6isintendedtoreplaceIPv4.

KillChain–IdeaputforthbyLockheedMartintodescribethephasesofatargetedcyber-attack:

1)reconnaissance,2)weaponization,3)delivery,4)exploit,5)installation,6)command&

control,and7)actions.

NAT–NetworkAddressTranslationisamethodforremappingoneIPaddressspaceinto

anotherbymodifyingtheaddressintheIPpacketheaderstoallowmultipleend-pointstoshare

oneaddresswhiletheytransitanetworkrouter.

NetworkServiceProvider–Anetworkserviceprovideroroperatorisanyenterprisethatis

operatinganetworkthathasanassignedautonomoussystemnumber(ASN).

Peering–Peeringisthevoluntaryinterconnectionoftwoseparatednetworksforthepurposeof

exchangingtrafficbetweenusersoneachnetwork.

Peer-to-Peer(P2P)–TraditionallybotnetsclientscommunicatetoaC&Cserverforcommands.P2PbotnetsoperatewithoutaC&Cserverwhereeachbotisbothaclientandaserver.

SoftwareDefinedNetworking(SDN)–Anapproachtocomputernetworkingthatallowsforthe

programmaticcontrolofnetworkbehaviorusingopeninterfacesanddecouplingthepacketforwardingplanefromthecontrolplanetoallowfortheuseofstandardserversandEthernet

switchestoprovidetheroutingfunctioninsteadofspecializedrouters.


viii

SSAC–TheSecurityandStabilityAdvisoryCommitteeadvisestheICANNcommunityandBoard

onmattersrelatingtosecurityandintegrityoftheinternet’snamingandaddressallocationsystems.

Tarpit–Atarpitiscomputerthatpurposelydelaysincomingconnections.Itisadefensive

measuretomakespammingandnetworkscanningslower.Itisanalogoustoatarpitinwhich

animalscangetboggeddownandslowlysinkunderthesurface.

Transit–Internettransitistheserviceofallowingnetworktrafficto“transit”anetworktoreach

anothernetwork.SmallnetworkoperatorsandenterprisesbuyInternettransittogainaccess

theInternet.

Documents

Attn: Evelyn L. Remaley Deputy Associate …...July 28, 2017 Attn: Evelyn L. Remaley Deputy Associate Administrator National Telecommunications and Information Administration U.S