A Secure Contained Testbed for Analyzing IoT Botnets

TL;DR

This paper presents a secure, contained IoT botnet testbed built on DETERlab, designed to evaluate IoT malware and develop mitigation strategies, addressing unique challenges of IoT environments.

Contribution

It introduces a novel IoT-specific botnet testbed with ancillary services, highlighting unique challenges and demonstrating its capabilities through experiments.

Findings

Testbed effectively simulates IoT botnet behavior

Addresses unique IoT security challenges

Provides a platform for evaluating mitigation techniques

Abstract

Many security issues have come to the fore with the increasingly widespread adoption of Internet-of-Things (IoT) devices. The Mirai attack on Dyn DNS service, in which vulnerable IoT devices such as IP cameras, DVRs and routers were infected and used to propagate large-scale DDoS attacks, is one of the more prominent recent examples. IoT botnets, consisting of hundreds-of-thousands of bots, are currently present ``in-the-wild'' at least and are only expected to grow in the future, with the potential to cause significant network downtimes and financial losses to network companies. We propose, therefore, to build testbeds for evaluating IoT botnets and design suitable mitigation techniques against them. A DETERlab-based IoT botnet testbed is presented in this work. The testbed is built in a secure contained environment and includes ancillary services such as DHCP, DNS as well as botnet infrastructure including CnC and scanListen/loading servers. Developing an IoT botnet testbed presented us with some unique challenges which are different from those encountered in non-IoT botnet testbeds and we highlight them in this paper. Further, we point out the important features of our testbed and illustrate some of its capabilities through experimental results.